1 - Information Security Governance and Risk Management Flashcards
(135 cards)
1
Q
- Which of the following is not an example of security control that ensures confidentiality?a. Data classificationb. Encryptionc. Restricting changes d. Network traffic padding
A
C: Restricting changes is an integrity protecting security mechanism.
2
Q
- Who is ultimately responsible and liable if the security perimeter of an organization is violated by an intruder and asset losses occur?a. Senior managementb. Network or system administratorsc. Security guardsd. End users
A
A: Senior management is ultimately responsible and liable if the security perimeter of an organization is violated by an intruder and asset losses occur. Senior management is responsible for all aspects of security and is the primary decision maker. However, in most cases the implementation of security is delegated to lower levels of the authority hierarchy, such as the network or system administrators.
3
Q
- Which of the following is not an example of a technical or logical security control?a. Encryptionb. Personnel screeningc. Identificationd. Access Control Lists
A
B: Personnel screening is an administrative security control. There are three types of security controls: administrative, physical, and logical or technical.
4
Q
- Which of the following is an administrative security control?a. Personnel screeningb. Encryptionc. Authorizationd. Security guards
A
A: Personnel screening is an administrative security control
5
Q
- Which of the following is a technical security control?a. Standardsb. Security devices c. Door locksd. Personnel screening
A
B: Security devices are technical security controls.
6
Q
- Which of the following is a physical security control?a. Logical access controlsb. Security awareness trainingc. Identificationd. Environmental controls
A
D: Environmental controls are physical security controls.
7
Q
- Which of the following is the best personnel arrangement for the design and management of security for an organization?a. A single security professional from within the organizationb. A team of security professionals from the organizationc. A team of employees representing every department within the organization d. An outside consultant
A
B: The best personnel arrangement for the design and management of security for an organization is a team of internal security professionals.
8
Q
- Which of the following is not a role or responsibility of the Security Administration team or group within an organization?a. Monitoring the security of the entire organizationb. Integrating security into the business environmentc. Identifying, valuating, and classifying assetsd. Approving the security policy.
A
D: Approving the security policy is the responsibility of senior management, not that of the Security Administration team or group within an organization.
9
Q
- Who is ultimately responsible for negligence in protecting the assets of an organization?a. Senior managementb. Security teamc. IT departmentd. Data custodian
A
A: Senior management is ultimately responsible for implementing prudent due care and is liable for negligence in protecting the assets of an organization.
10
Q
- Which of the following is not one of the three security control types that a security administrator can employ to manage and impose security?a. Administrativeb. Technicalc. Strategicd. Physical
A
C: Administrative, technical, and physical are the three security control types that a security administrator can employ to manage and impose security.
11
Q
- Which of the following is not an element in the CIA triad?a. Availabilityb. Integrityc. Privacyd. Confidentiality
A
C: Confidentiality, integrity, and availability are the elements of the CIA triad.
12
Q
- Which of the following is a valid definition for confidentiality?a. Unauthorized disclosure is prevented.b. Unauthorized modification is preventedc. Resources are accessible at all times by authorized users.d. Disasters can be recovered from quickly.
A
A: Confidentiality can be defined by “Unauthorized disclosure is prevented.”
13
Q
- Which of the following is not a task assigned to a data owner?a. Assign classifications to datab. Dictate how information is to be protectedc. Delegate security responsibilities to data custodiansd. Implement security controls
A
D: Implementing security controls is the responsibility of the security administration team or data custodians, not senior management.
14
Q
- A security administrator may employ all but which of the following types of controls to implement a security solution?a. executiveb. administrativec. technicald. physical
A
A: Executive is not a valid type of security control. The three valid types of security control are administrative, technical (or logical), and physical.
15
Q
- Which of the following is an example of an administrative security control?a. security guardsb. policiesc. locksd. intrusion detection systems
A
B: Policies are an example of an administrative security control.
16
Q
- Which of the following is not an example of an administrative security control?a. Standardsb. Guidelinesc. Identificationd. Personnel screening
A
C: Identification is an example of a logical/technical security control.
17
Q
- Which of the following is not one of the fundamental principles of security included in the CIA triad?a. Confidentialityb. Integrityc. Accountabilityd. Availability
A
C: While accountability is an important part of IT security, it is not one of the three fundamental principles of security included in the CIA triad, which includes Confidentiality, Integrity and Availability.
18
Q
- The ability of a computer system to provide adequate capacity for predictable performance represents which of the fundamental security principles of the CIA triad?a. Confidentialityb. Integrityc. Accountabilityd. Availability
A
D: The ability of a computer system to provide adequate capacity for predictable performance is an example of Availability.
19
Q
- Which of the following is not an example of a physical security control?a. Dogsb. Fencingc. Biometric authenticationd. Badge IDs
A
C: Biometric authentication is an example of a technical/logical security control.
20
Q
- Which of the following is not an example of a valid activity of security management?a. Evaluating the loss of productivity due to restrictions imposed by the security solutionb. Manage user complaints of access restrictions or resource unavailability, by fine tuning least privilege accessc. Proposing to senior management the alteration or rescinding of a security policyd. Deploy a new security control in a mission critical environment
A
D: It is not a good security management practice to implement new security controls, especially in mission critical environments, before that control has been thoroughly tested.
21
Q
- Which of the following is an example of a technical security control?a. proceduresb. awareness trainingc. perimeter lightingd. encryption
A
D: Encryption is an example of a technical/logical security control.
22
Q
- Which of the following is not an example of a technical security control?a. Fire detection and suppressionb. Access control matrixc. Authorizationd. Traffic filtering
A
A: Fire detection and suppression is an example of a physical security control.
23
Q
- Which of the following is an example of a physical security control?a. Rules based access controlsb. CCTVc. Exit interviewsd. Traffic tunneling
A
B: CCTV is an example of a physical security control.
24
Q
- Which of the following is an example of a security control that focuses on maintaining availability?a. Encrypted transport of datab. Quick recovery from faultsc. Fixed packet length transmissionsd. User awareness training
A
B: Quick recovery from faults is an example of a security control that focuses on maintaining availability.
25
25. Which of the following is not an example of a security control that focuses on maintaining availability? a. clustered machines b. avoiding single points of failure c. implementing need to know access controls d. controlling the environmental characteristics
C: Implementing need to know access controls is an example of a security control that focuses on maintaining confidentiality.
26
26. What is a vulnerability? a. The likelihood that a system will experience a security breach b. instance of being exposed to losses from a threat agent c. A potential danger to information or systems d. The absence or weakness of a safeguard that could be exploited
D: A vulnerability is the absence or weakness of a safeguard that could be exploited.
27
27. Which of the following is not an example of a security control that focuses on maintaining confidentiality a. Data encryption b. access control c. change restrictions d. personnel training
C: Change restrictions is an example of a security control that focuses on maintaining integrity.
28
28. Which of the following is an example of a security control that focuses on maintaining integrity? a. Network monitoring b. Denial of service attack protection c. data classification d. Encryption of data in transit
D: Encryption of data in transit is an example of a security control that focuses on maintaining integrity.
29
29. Which of the following is not an example of a security control that focuses on maintaining integrity? a. Network monitoring b. Managing alterations to data in a database c. Validating input data d. Message Digest
A: Network monitoring is an example of a security control that focuses on maintaining availability.
30
30. For a security policy to be effective and comprehensive, it must thoroughly address the three fundamental principles of security, which are? a. Confidentiality, Integrity, Availability b. Confinement, Integrity, Accessibility c. Corroboration, Interrogation, Authorization d. Continuity, Intelligence, Authentication
A: The three fundamental principles of security are Confidentiality, Integrity, and Availability.
31
31. Which of the following is an example of a security control that focuses on maintaining confidentiality? a. controlled interface to access data b. network traffic padding c. input validity verification d. backups
B: Network traffic padding is an example of a security control that focuses on maintaining confidentiality.
32
32. Which of the following is not an example of a risk? a. Failing to review audit logs b. Failing to enforce password policy c. Not updating anti-virus software d. Not filtering traffic on border communication links
A: Failing to review audit logs is not a risk, but it does show a lack of compliance with a realistic security policy. Audit logs will often reveal when a risk has become an actual intrusion or attack.
33
33. Which of the following is not a method by which risk is reduced or eliminated? a. Applying a safeguard b. Waiting c. Removing the vulnerability d. Blocking the threat agent
B: Waiting is not a valid response to risk and waiting will not reduce risk.
34
34. An instance of being exposed to losses from a threat is known as? a. Vulnerability b. Single loss expectancy c. Exposure d. Breach
C: Exposure is an instance of being exposed to losses from a threat.
35
35. Which of the following is not an example of a vulnerability? a. Assigning all users access based on job descriptions b. Modems on clients c. Open ports d. Access to the server room
A: Assigning all users access based on job descriptions is a valid form of security control, however it is not an example of a vulnerability.
36
36. Which of the following is an example of a vulnerability? a. Restricting access to authorized users b. Failing to enforce the password policy c. Filtering traffic at all communication borders d. Implementing physical access restrictions
B: Failing to enforce the password policy is an example of a vulnerability.
37
37. Which of the following is not an example of a threat? a. Intruder access through a firewall b. Activities that violate the security policy c. A biometric device failing to authenticate a valid user d. A natural disaster that destroys the IT infrastructure
C: A biometric device failing to authenticate a valid user is a False Rejection (Type I) error, but it is not a threat.
38
38. Which of the following is an example of a threat? a. Blocking all attachments at the e-mail gateway b. Scanning for malicious code c. Performing vulnerability assessment without senior management approval d. A user destroying confidential data
D: A user destroying confidential data is an example of a threat.
39
39. Which of the following is not true regarding an operational security plan? a. includes an approved software list b. integrates the elements of other plans c. defines short term tasks necessary to the accomplishing of objectives d. prescribes a logical sequence of initiatives
A: A system specific plan includes an approved software list.
40
40. The purpose of a safeguard is to? a. Remove a threat agent b. Enhance an exposure c. Update a security policy d. Reduce or remove a vulnerability
D: A safeguard's purpose is to reduce or remove a vulnerability.
41
41. Which of the following is not an example of a safeguard? a. Relaxing the filters on a firewall b. Imposing strong password management c. Deploying security guards d. Enable BIOS passwords
A: Relaxing the filters on a firewall is the removal of a safeguard.
42
42. The top down approach to security management provides for all but which of the following? a. provides for policy initiation, support, and direction b. provides for assignment of responsibility to down-level administrators c. provides for development and implementation of standards, guidelines, and procedures d. provides for development of security control configurations
B: The top down approach to security management does not provide for the assignment of responsibility to down-level administrators. Senior management is always ultimately responsible for the success or failure of the security policy and resulting security solution.
43
43. Which of the following is not an example of a risk? a. Human error b. Equipment malfunction c. Replacing human security guards with dogs d. Disgruntled insider
C: Replacing human security guards with dogs is a change in a security access control, it is not an example of a risk.
44
44. Risk is the ______________ of something happening that will damage assets a. certainty b. evaluation c. prevention d. possibility
D: Risk is the possibility of something happening that will damage assets.
45
45. When will risk be totally eliminated? a. When the organization ceases to exist b. When the security policy is properly implemented c. When all systems are powered down d. When all users have completed security awareness training
A: Risk will be totally eliminated only when the organization ceases to exist.
46
46. Which of the following represent the primary security factors that a private sector organization is concerned about? a. data confidentiality and integrity b. data availability and integrity c. data non-repudiation and encryption d. data availability and confidentiality
B: Private sector organizations are primarily concerned about data availability and integrity.
47
47. The most important aspect of security to military organizations is? a. integrity b. non-repudiation c. confidentiality d. availability
C: Confidentiality is the most important aspect of security to military organizations.
48
48. What is the primary goal of risk management? a. Remove all risk b. Perform a qualitative analysis of risk c. Remove liability from senior management d. Reduce risk to an acceptable level
D: The primary goal of risk management is to reduce risk to an acceptable level.
49
49. An effective safeguard, when evaluated via risk analysis, should? a. cost less than the loss possible via the risk b. offer a complete solution for an individual specified risk c. be invisible to the user d. allow itself to be removed easily
A: An effective safeguard from a risk analysis perspective is that the safeguard should cost less than the cost of the loss due to the risk.
50
50. All but which of the following apply to senior management in relation to risk analysis? a. Directs and supports risk analysis b. Is a member of the Risk Assessment team c. Acts appropriately upon the results d. Reviews the outcome of the analysis
B: The Risk Assessment Team should be comprised of a representative from most or all departments, not necessarily senior management.
51
51. The first step in risk analysis is? a. countermeasure Selection b. cost/benefit analysis c. asset valuation d. qualitative analysis of risk
C: Asset valuation is the first step in risk analysis. If assets have no value, there is no need to protect them.
52
52. Risk management attempts to reduce risk to an acceptable level by performing all but which of the following activities? a. Track down intruders for prosecution b. Analyze the probability of attack occurrence c. Predict the impact of a breach d. Evaluate safeguards
A: Tracking down intruders for prosecution is not function or element of risk management, it is possibly a factor in intrusion detection.
53
53. Which of the following is not an example of a risk? a. physical damage b. blocking ports c. misuse of data d. buffer overflow
B: Blocking ports is a safeguard, not a risk.
54
54. The value of an asset helps to determine? a. length of time committed to performing qualitative analysis b. whether or not to perform a quantitative analysis c. whether a logical or a technical control is evaluated d. the relative strength and cost of the safeguard
D: The value of an asset helps to determine the relative strength and cost of the safeguard selected to protect it.
55
55. Which of the following is not considered an element in determining the cost of an asset? a. cost to train personnel to employ b. cost to develop c. cost to acquire d. cost to maintain
A: The cost to train personnel to employ is not as relevant as the costs to develop, acquire, and maintain an asset when determining the cost of an asset. Training costs are often difficult to quantify since training on any specific asset is typically grouped in training regarding overall IT interaction. While this answer is technically correct, it is the least correct answer of those offered.
56
56. Which of the following is not considered an element in determining the cost of an asset? a. cost to protect b. cost in MB in hard drive storage requirements c. value to owners and users d. value to competitors
B: The cost in actual MB size is not as relevant as the cost for overall storage and maintenance in the determination of the cost of an asset. While this answer is technically correct, it is the least correct answer of those offered.
57
57. The purpose of risk management is? a. safeguard evaluation b. risk mitigation c. loss estimation d. remove all risk
B: The purpose of risk management is risk mitigation. However, even in the most successful implementation, there is always some level of risk.
58
58. Risk analysis is used to determine whether safeguards are all but which of the following? a. cost effective b. relevant c. exhaustive d. timely
C: No safeguard is exhaustive of all risks.
59
59. The objectives of risk analysis include all but which of the following? a. identify risk b. quantify the impact of each risk c. evaluate the cost effectiveness of safeguards d. select countermeasures to implement
D: Risk analysis is used to compare safeguards, but it does not select the countermeasure to implement. Countermeasure Selection is left to the decision makers, i.e. senior management or their delegated administrators.
60
60. An exposure factor is? a. the amount of loss that would be incurred due to the compromise of an asset b. the instance of being exposed to losses from a threat agent. c. percentage of loss that a realized threat event would cause against a specific asset d. the likelihood that a system will experience a security breach
C: An exposure factor is the percentage of loss that a realized threat event would cause against a specific asset.
61
61. The annualized loss expectancy can be calculated using which of the following equations? a. exposure factor x annualized rate of occurrence b. asset value x exposure factor c. asset value x risk probability x safeguard benefit d. asset value x exposure factor x annualized rate of occurrence
D: The annualized loss expectancy can be calculated using asset value x exposure factor x annualized rate of occurrence. It can also be calculated using single loss expectancy x annualized rate of occurrence.
62
62. Which of the following is not considered an element in determining the cost of an asset? a. cost to replace b. cost in productivity if asset is unavailable c. the file formats used by the asset d. liability if asset is compromised
C: The file formats used by the asset are typically not an element in determining the cost of an asset.
63
63. Determining the value of an asset can be useful in all but which of the following requirements or activities? a. cost/benefit analysis of safeguards b. determining the exposure to a threat c. insurance inventory d. assigning classifications
B: Asset valuation is useful in assigning classifications. Cost/Benefit analysis can determine which safeguards to select. How much insurance to get to cover a particular asset. Exposure to a threat would not be determined by asset value.
64
64. A quantitative risk analysis approach employs which of the following? a. A specific dollar value is assigned to each risk b. Opinions about risks are collected from various departments c. Scenarios are used to evaluate safeguards d. Guesswork
A: A quantitative risk analysis approach employs specific dollar values assigned to each risk.
65
65. Which of the following is not true? a. Quantitative analysis assigns real numbers and concrete probability percentages. b. A purely quantitative risk analysis is possible. c. Quantitative analysis can be automated. d. Qualitative analysis involves significantly less time and effort than a quantitative approach.
B: A purely quantitative risk analysis is not possible, since it is not possible to quantify all qualitative items.
66
66. What form of qualitative risk analysis employs a group of people who reach a consensus through an anonymous means of voting and exchanging ideas? a. Delphi technique b. brainstorming c. storyboarding d. surveys
A: The Delphi technique is a form of qualitative risk analysis that employs a group of people who reach a consensus through an anonymous means of voting and exchanging ideas.
67
67. Which of the following is not a method used in qualitative risk analysis? a. focus group b. automated software c. one-on-one meeting d. checklist
B: Quantitative, not qualitative, risk analysis can be automated with software.
68
68. The value of a safeguard to an organization can be calculated using a formula which includes all but which of the following factors? a. Annual loss expectancy before safeguard b. Annual loss expectancy after implementing the safeguard c. Residual risk d. Annual cost of safeguard
C: Residual risk is not used in the formula for calculating the value of a safeguard, instead it is the calculation of risk remaining after safeguards are implemented.
69
69. What element in a formalized security infrastructure consists of documents that are compulsory in nature? a. Recommendations b. Guidelines c. Standards d. Policies
C: Standards are primarily compulsory in nature.
70
70. Which of the following describes the practice of a formalized security infrastructure? a. Defines recommended actions b. Used when specific standards do not apply c. Serves as operational guides for IT staff d. Details step-by-step activities
D: Procedures detail step-by-step activities, not guidelines.
71
71. If _____________________________________, managers can be held liable for negligence and held accountable for asset losses. a. a company does not practice due care and due diligence b. a company properly implements a security policy c. a senior manager does not sign off on a change to the security policy d. an analysis team does not update the business continuity plan
A: If a company does not practice due care and due diligence, managers can be held liable for negligence and held accountable for asset losses.
72
72. Which of the following is not an accepted response to the results of risk analysis? a. Reduce b. Reject c. Assign d. Accept
B: Rejecting risk is not an accepted response to the results of risk analysis.
73
73. Which response to risk can be implemented by purchasing insurance against loss? a. Reduce b. Reject c. Assign d. Accept
C: Assigning risk can be implemented by purchasing insurance against loss
74
74. Which of the following is not a valid example of assigning risk? a. purchasing insurance b. implementing a service level agreement with a vendor c. crafting a disaster recovery plan d. delegating responsibility for security policy implementation
D: Delegating security policy implementation responsibilities is not a valid example of assigning risk. Risk remains the responsibility of senior management, it cannot be delegated.
75
75. What security mechanism is primarily responsible for implementing security controls that protect data in the most cost-effective manner? a. need to know b. data classification c. traffic filtering d. intrusion detection
B: Data classification is the security mechanism that is primarily responsible for implementing security controls that protect data in the most cost-effective manner.
76
76. Which of the following is not one of the five standard data classifications used by the military? a. Confidential b. Secret c. Private d. Sensitive
C: Private is a data classification used by the private sector (i.e. corporate business), not the military.
77
77. What level of private sector data classification represents assets that if disclosed will not cause an adverse impact? a. Confidential b. Private c. Sensitive d. Public
D: The public data classification represents assets that if disclosed will not cause an adverse impact.
78
78. What is the difference between total risk and residual risk? a. one can be completely eliminated b. neither one can be managed with safeguards c. neither is directly quantifiable d. one is calculated by knowing the controls gap
D: Residual risk is what remains after selected safeguards are applied (i.e. controls gap). Residual risk = total risk - controls gap.
79
79. Acceptable risk is? a. The amount of risk an organization is willing to shoulder b. Residual risk c. Any risk that cannot be addressed by safeguards d. All risks that have an exposure factor of less than 10%
A: Acceptable risk is the amount of risk an organization is willing to shoulder.
80
80. What form of security policy outlines the laws and industry restrictions placed upon an organization? a. Advisory b. Regulatory c. Informative d. Organizational
B: Regulatory security policies outline the laws and industry restrictions placed upon an organization.
81
81. A vulnerability is? a. A potential danger to a system b. The likelihood of an attack c. The absence of a safeguard d. An instance of being exposed to loss
C: The absence of a safeguard is a vulnerability.
82
82. Which of the following is not a vulnerability? a. Unrestricted dial-in modems b. Open ports c. Absence of a password policy d. Human error
D: Human error is a threat not a vulnerability
83
83. Which of the following is not a threat? a. An intruder gaining access through a firewall b. Not inspecting the fire suppression system c. An activity that violates the security policy. d. Destruction of a data center by a natural disaster.
B: Not inspecting the fire suppression system is an exposure.
84
84. Which of the following is a valid definition for integrity? a. Unauthorized disclosure is prevented. b. Unauthorized modification is prevented c. Resources are accessible at all times by authorized users. d. Disasters can be recovered from quickly.
B: Integrity can be defined by "Unauthorized modification is prevented."
85
85. Which of the following is a valid definition for availability? a. Unauthorized disclosure is prevented. b. Unauthorized modification is prevented c. Resources are accessible at all times by authorized users. d. Mistakes made by authorized personnel are prevented.
C: Availability can be defined by "Resources are accessible at all times by authorized users."
86
86. How can risk be reduced? a. Removing the vulnerability or removing the threat agent b. Adjusting procedures c. Installing fake security cameras d. Logging system activity
A: Removing the vulnerability or removing the threat agent will reduce risk
87
87. Which of the following is not used to mitigate a potential risk? a. Countermeasure b. Safeguard c. Activity logging d. Software update or patch
C: Activity logging is not used to mitigate potential risk, as least not directly.
88
88. Which of the following is the best definition for countermeasures and safeguards? a. Eliminates exposure through configuration changes b. Blocks intrusion attempts c. Blocks damage by malicious code d. Reduces the risk of a threat taking advantage of a vulnerability
D: Reduces the risk of a threat taking advantage of a vulnerability is the best definition offered in this question for countermeasures and safeguards.
89
89. Which of the following is a security control that ensures availability? a. Encrypting data. b. Blocking DoS attacks c. Checking for valid input. d. Training personnel
B: Blocking DoS attacks ensures availability.
90
90. Which of the following is typically not considered a countermeasure or safeguard? a. A night watchman b. Punching through a firewall for VPN connections c. BIOS passwords d. OS based access controls
B: Punching through a firewall for VPN connections is not a safeguard or countermeasure and may introduce new vulnerabilities.
91
91. Who within an organization is responsible for establishment of the foundations of security as well as ongoing support and direction? a. Security support staff b. IT department c. Upper or senior management d. System administrations
C: Upper or senior management is responsible for establishment of the foundations of security as well as ongoing support and direction.
92
92. Who within an organization is responsible for the development and management of standards, guidelines, and procedures? a. Senior management b. Middle management c. IT department d. System administrators
B: Middle management is responsible for the development and management of standards, guidelines, and procedures.
93
93. What aspect of an asset determines whether it should be protected and to what extent that protection should extend? a. accessibility b. data type c. Value d. Accuracy
C: The value of asset determines its need for security.
94
94. Which of the following is typically not included in the valuation of an asset? a. Cost to acquire or develop b. Value to owners and users c. Intellectual property d. Cost to store and serve to authorized users
D: The cost to store and serve an asset is not included in the value evaluation of an asset, that is considered a cost of the infrastructure.
95
95. What is the primary security purpose for mandatory week long minimum yearly vacations? a. Prevent buildup of excessive vacation time b. To prevent burnout c. To simplify job rotations d. To allow for auditing
D: Mandatory vacations are used to perform auditing.
96
96. Who is responsible for assigning data classifications? a. Data custodian b. Data owner c. Data creator d. End user
B: The data owner is responsible for assigning data classification.
97
97. Which of the following is not a goal of risk analysis? a. Expand security awareness training. b. Identify all possible risks to an environment c. Quantify the impact or cost of potential threats d. Provide a cost/benefit analysis of countermeasures and safeguards
A: Expanding security awareness training is not a goal of risk analysis.
98
98. Guidelines serve all but which of the following purposes within an organization's formalized security structure? a. A step-by-step implementation manual b. Introduce methodologies for handling various security issues c. Provide recommended courses of action for security problems d. Operational guides for the IT staff
A: Guidelines do not serve as step-by-step implementation manuals.
99
99. A ________________ is a document that includes general statements about the overall state of security for an organization. Senior management creates this document. a. Procedure b. Guideline c. Standard d. Policy
D: A policy is a document that includes general statements about the overall state of security for an organization. Senior management creates this document.
100
100. All but which of the following are characteristics of an effective security plan? a. Achievable b. Specific c. Inexpensive d. Clearly stated
C: Implementing cost effective safeguards is an aspect of a security plan, but not all safeguards or security mechanisms are inexpensive. The cost is not a characteristic of an efficient security plan.
101
101. What is the formula used to derive annualized loss expectancy? a. Asset value x Exposure Factor x Annualized Rate of Occurrence b. Asset Value x Annualized Rate of Occurrence c. Asset Value x Exposure Factor d. Exposure Factor x Annualized Rate of Occurrence
A: Asset value x Exposure Factor x Annualized Rate of Occurrence or Single Loss Expectancy x Annualized Rate of Occurrence is the formula for the Annualized Loss Expectancy.
102
102. The security model employed by an organization depends upon their primary needs. What is the primary need of a government or military organization? a. Risk avoidance b. Integrity c. Availability d. Confidentiality
D: Confidentiality is the primary need of government and military organizations.
103
103. Baselines are used for all but which of the following within an organization's formalized security structure. a. Establish a minimal level of security throughout the organization b. Establish the basis for standards c. As a starting point for security audits d. As an operational guide for users
D: Baselines are not used as operational guides.
104
104. Which element of a formalized security structure is positioned just above actual implementation and which defines the steps or actions required to deploy security in an organization? a. Guideline b. Procedure c. Policy d. Standard
B: A procedure is positioned just above actual implementation and which defines the steps or actions required to deploy security in an organization.
105
105. Which of the following statements is true? a. A purely quantitative risk analysis can be performed by the risk assessment team. b. A quantitative analysis requires the subjective input from users. c. A purely quantitative risk analysis cannot be performed since qualitative aspects cannot be quantified. d. Qualitative analysis requires specific dollar valuations of assets to be successful.
C: A purely quantitative risk analysis cannot be performed since qualitative aspects cannot be quantified.
106
106. The greatest number of threats to the assets of an organization come from where? a. Inside the organization b. Malicious code c. The Internet d. Hardware failures
A: The greatest number of threats to the assets of an organization come from inside the organization (over 85%).
107
107. Which of the following is not a task that should be performed by the risk assessment/risk analysis team? a. Perform a threat analysis b. Estimate the potential for each risk to be realized c. To implement an appropriate countermeasure d. Assign values to assets
C: To implement an appropriate countermeasure is not a task of the risk assessment team. They are only to provide cost/analysis of countermeasures. It is the responsibility of management to select an appropriate countermeasure based on the analysis and assign the implementation procedure to the security management/administration team.
108
108. Who is held liable for an organization's failure to perform due care and due diligence? a. End users b. IT staff c. Senior management d. Security team
C: The senior management is held liable for the failure to perform due care and due diligence.
109
109. What is the cardinal rule of risk analysis? a. All safeguards must be properly budgeted. b. Only safeguards with the highest rate of risk mitigation should be employed. c. Only safeguards with a high ratio of risk mitigation to cost should be implemented. d. The annual cost of safeguards should not exceed the possible annual cost of the loss of an asset.
D: The annual cost of safeguards should not exceed the possible annual cost of the loss of an asset is the cardinal rule of risk analysis.
110
110. Which of the following risk analysis approaches assigns real numbers to the costs of asset loss and countermeasure implementation? a. Operational analysis b. Quantitative analysis c. Procedural analysis d. Qualitative analysis.
B: Quantitative analysis assigns real numbers to the costs of asset loss and countermeasure implementation.
111
111. Which of the following military data classification levels is used to label assets that may cause serious damage to national security if that asset was disclosed? a. Top Secret b. Secret c. Unclassified d. Classified
B: Secret assets may cause serious damage to national security if that asset was disclosed.
112
112. What security mechanism is often employed as the primary defense against collusion? a. Job rotation b. Separation of duties c. Activity logging d. Forced vacations
A: Job rotation is the primary defense against collusion.
113
113. In the formula for calculating residual risk, what does the controls gap element represent? a. Vulnerability b. Potential of risk realization c. Countermeasures and safeguards d. Cost of risk analysis
C: The controls gap represents countermeasures and safeguards.
114
114. Which of the following commercial business data classification levels represents the most sensitive collection of assets? a. Confidential b. Private c. Sensitive d. Public
A: The confidential classification represents the most sensitive collection of assets.
115
115. Standards are used for what purpose in a formalized security structure? a. To implement industry regulations b. To detail the overall scope and vision of security for an organization c. To establish uniformity across an organization d. To define the actual processes used to implement security
C: Standards are used to establish uniformity across an organization.
116
116. Which qualitative analysis method is a group decision method that seeks a consensus while retaining the anonymity of the participants? a. Delphi technique b. Brainstorming c. Storyboarding d. Surveys
A: Delphi Technique
117
117. All but which of the following statements are true in regards to security awareness training? a. Employees gain a basic understanding of the organization's security policy b. Often helps employees obtain certifications c. Helps reduce fraud and circumvention of security mechanisms. d. Can be performed in lectures, through newsletters, via posters, or with mouse pads.
B: Obtaining certifications is not a function of Security Awareness Training.
118
118. What is the most important aspect of the exit interview for terminated employees? a. Reviewing non-disclosure agreements b. Updating the job description c. Returning personal property d. Escorted removal from the property.
A: The most important aspect of the exit interview is to review non-disclosure agreements.
119
119. Which of the following is not a reason, benefit, or requirement to perform asset valuation? a. Reduces hosting costs b. Useful in countermeasure selection c. Insurance coverage identification d. Prevent due care negligence
A: Asset valuation does not typically improve asset hosting costs.
120
120. The risk assessment team should be comprised … a. Of only management b. Of members from every department or division c. Of only IT staff d. Of only volunteers
B: The risk assessment team should include members from every department or division. This often requires assigning or appointing team membership rather than relying on volunteers.
121
121. Risk analysis is used to ensure all but which of the following? a. That security is cost effective. b. That security is relevant to the organization. c. That security completely protects an environment. d. That security is responsive to threats.
C: No system is 100% risk free.
122
122. What is the weakest element in an organization's security? a. Security policy b. Data classification schemes c. Security control mechanisms d. People
D: People are the weakest element in an organization's security.
123
123. Which of the following is true? a. All risks can be eliminated. b. All security configurations reduce risk. c. Risk reduction requires IDS d. No system can be 100% risk free.
D: No system can be 100% risk free.
124
124. The security model employed by an organization depends upon their primary needs. What are the primary needs of a private sector business? a. Confidentiality and Integrity b. Confidentiality and Availability c. Integrity and Availability d. Access Control and Risk avoidance
C: The primary needs of a private sector business are integrity and availability.
125
125. Which of the four possible responses to the identification and cost/benefit analysis of risk is considered an invalid response? a. Accept b. Reject c. Reduce d. Assign
B: Reject is considered an invalid response.
126
126. Who is responsible for protecting the confidentiality, integrity, and availability of data? a. Senior management b. Data owner c. Data custodian d. End user
C: The data custodian is responsible for protecting the confidentiality, integrity, and availability of data.
127
127. What type of policy is not enforceable? a. Informative b. Regulatory c. Administrative d. Organizational
A: Informative policies cannot be enforced.
128
128. Identification establishes ____________. a. Authentication b. Authorization c. None of the choices d. Accountability
D: Accountability. Identification is a means to verify who you are. It enables systems to trace activities to individual users that may be held responsible for their actions.
129
129. Which of the following is not a type of risk? a. Equipment failure b. Backup media verification c. Human error d. Intrusion attempt
B: Backup media verification is not a type of risk, rather it is a safeguard to ensure the viability of backup restorations.
130
130. How is the value of a safeguard determined? a. Its implementation costs are calculated b. Annual Loss Expectancy before the safeguard - Annual Loss Expectancy after the safeguard - cost of implementing safeguard c. Subjective analysis by end-users d. Risk reduction caused by the safeguard
B: Annual Loss Expectancy before the safeguard - Annual Loss Expectancy after the safeguard - cost of implementing safeguard is the method used to calculate the value of a safeguard.
131
131. The percentage of loss of the value of an asset, which an organization would incur if a threat event was realized, is known as? a. Annualized loss expectancy b. Annualized rate of occurrence c. Single loss expectancy d. Exposure factor
D: The exposure factor is the percentage of loss of the value of an asset, which an organization would incur if a threat event was realized.
132
132. In the realm of risk analysis, senior management is responsible for all but which of the following? a. Performing the cost/benefit analysis b. Defines the scope of the risk analysis process c. Appoints the risk assessment team d. Acts on the results of the analysis
A: The risk assessment team, not senior management, is responsible for performing the cost/benefit analysis.
133
133. Job rotation as a security mechanism has shown itself effective against which of the following? a. Fraud b. Data modification c. Collusion d. Misuse of information
C: Job rotation is directly affective against collusion.
134
134. The likelihood of a threat taking advantage of a vulnerability is known as? a. Risk b. Exposure c. Mitigation d. Attack
A: Risk is the likelihood of a threat taking advantage of a vulnerability.
135
135. The security administration team should be responsible for all but which of the following? a. creation of a clear and efficient reporting process b. monitoring the security of an organization c. approve the security policy d. identify the strengths and weaknesses of a security solution
C: Approving the security policy is the responsibility of senior management, not the security administration team.
