Chapter 3 - Info Sec Governance & Risk Management

Question 1

ITGI

Answer 1

IT Governance Institute defines IT governance as being the responsibility of the board of directors and executive management

Question 2

Executive Management

Answer 2

maintains the overal responsibility for protection of the information assets. - Must be aware of risks that they are accepting

Question 3

Security Officer

Answer 3

responsible for design, implementation, management, and review of the organization’s security policies, standards, procedures, baselines, and guidlines.

Question 4

Information Systems Security Professional

Answer 4

drafting of policies, standards, guidelines and baselines is coordinated through these individuals.

Question 5

Data/Information/Business Owners

Answer 5

assign appropriate classification to information assets. ensure business information is protected with appropriate controls. Need to determine the criticality, sensitivity, retention, backups and safeguards for the information. need to understand risks for information that they control.

Question 6

Data/Information Custondian/Steward

Answer 6

takes care of the information on behalf of the owner. This group administers rights to the information assets.

Question 7

Information Systems Auditor

Answer 7

determine compliance with policy, procedures, standards, baselines, designs, architectures, management direction and other requirements placed on systems. Provide top management with an independent view of controls and their effectiveness.

Question 8

Business Continuity Planner

Answer 8

develop contigency plans. ensures business process can continue through the disaster and coordinates those activities with the buisness areas and information technology personnel responsible for disaster recovery.

Question 9

Information Systems/Information Technology Professionals

Answer 9

responsible for designing security controls into information systems, testing the controls, and implementing the systems in production through agreed upon policies and procedures

Question 10

Security Administrator

Answer 10

manages the user acces request process and ensures that privileges are provided to those individuals who have been authorized for access by application/system/data owners. Has elevated privileges and creates and deletes accounts and access permissions. Maintains records

Question 11

Network/System Administrator

Answer 11

configures network and server hardware and the operating system, ensuring informaion is available and accessible

Question 12

Physical Security

Answer 12

establish relationships with external law enforcement to assist in investigations. Manage the installation, maintenance and ongoin operation of the closed circuit television, burglar alarms, card reader access. Act as a deterrent to unauthorized access

Question 13

Administrative Assistants/Secretaries

Answer 13

be subject to social engineering attacks

Question 14

Help desk administrator

Answer 14

ususally where first security incidents will be seen. Contacts Computer Security Incident response team (CIRT). Reswet passwords, tokens and smart cards

Question 15

Safe Harbor Provision

Answer 15

“good faith” conditions

Question 16

Control Frameworks

Answer 16

Must be Consistent. meaurable, standardized, comprehensive, and modular

Question 17

European Data Protection Directive

Answer 17

compliance with a legal action, protect life of subject, subject provided consent, performed within the scope of public interest and the law. NIST 800-3 ISO 27001

Question 18

Due Care

Answer 18

care a reasonable person would exercise, lack is negligence

Question 19

Due dilligence

Answer 19

measure made to avoid harm to other persons or property

Question 20

Guidelines for writing security policies

Answer 20

formally define a policy creation and policy maintenance practice; policies should survive for two or three years; do not be too specific; use forceful wording; do not include technical implementation details; keep each policy as short as possible; provide references to supporting documents; thoroughly review; conduct management review and sign-off, employees should acknowledge policies; do not use jargon; review incidents and adjust policies; periodically review; define exception rules;and sanctions for non-compliance

Question 21

Spanning Tree Analysis

Answer 21

creates a tree of all possible threat or faults of the system

Question 22

VAR

Answer 22

Value at risk

Question 23

Threat types

Answer 23

Human; Natural; Technical, Physical, Environmental, and Operational

Question 24

When determining the value of an intagible asset which is sthe BEST apprach? A. Determine the physical storage cost and multiply by the expected life of the compancy B. With the assistance of finance of accounting professional determine how much profit the asset has returned C. Review the depreciation of the intangible asset over the past three years D. Use teh historical acquisition or development cost of the intangible asset

Answer 24

B. With the assistance of finance of accounting professional determine how much profit the asset has returned

Question 25

Qualitative risk assessment is earmarked by which of the following? A. Ease of implementation and it can be completed by Personnel with a limited understanding of the risk assessment process B. Can be completed by personnel with a limited understanding of the risk assessment process and uses detailed metrics for calculation of risk C. Detailed metrics used for calculation of risk and ease of implementation D. Can be completed by personnel with a limited understanding of the risk assessment process and detailed metrics used for the calculation of risk

Answer 25

A. Ease of implementation and it can be completed by Personnel with a limited understanding of the risk assessment process

Question 26

Single loss expectancy is calculated by using: A. Asset value an annulaized rate of occurrence (ARO) B. Asset value, local annual frequeny estimate (LAFE) and standard annual frequency estimate (SAFE) C. Asset value and exposure factor D. Local annual frequency estimate and annualized rate of occurrence

Answer 26

C. Asset value and exposure factor

Question 27

Consideration for which the type of risk assessment to perform includes all of the following: A. Culture of the organization, liklihood of exposure and budget B. Budget, capabilities of resources, and liklihood of exposure C. Capabilities of resources, liklihood of exposure and budget D. Culture of the organization, budget, capabilities and resources

Answer 27

D. Culture of the organization, budget, capabilities and resources

Question 28

Security awareness training includes A. Legislated secuirty compliance objectives B. Security roles and responsibilities for staff C. The high-level outcome of vulnerability assessments D. Specialilzed curriculum assignments, course work and an accredited institution

Answer 28

B. Security roles and responsibilities for staff

Question 29

A signed user acknowledgment of the corporate security policy A. Ensures that users have read the policy B. Esures that users understand the policy, as well as the consequences for not following the policy C. Can be waived if the organization is satisfied that users have an adequate understanding of the policy D. Helps to protect the orgainzation if a user’s behavior violates the policy

Answer 29

D. Helps to protect the orgainzation if a user’s behavior violates the policy

Question 30

Effective security management A. Achieves security at the lowest cost B. Reduces risk to an acceptable level C. Prioritizes security for new products D. Installs patches in a timely manner

Answer 30

B. Reduces risk to an acceptable level

Question 31

Availability makes information accessible by protecting it from A. Denail of services, fires, floods, hurricanes, and unauthorized transactions B. Fires, floods, hurricanes, unauthorized transactions and unreadable backup tapes C. Unauthorized transactions, fires, floods, hurricanes and unreadable backup tapes D. Denial of Services, fires, floods, and hurricanes and unreadable backup tapes

Answer 31

D. Denial of Services, fires, floods, and hurricanes and unreadable backup tapes

Question 32

To avoid bias the security officer could report to any of the following A. CEO, application development or CFO B. CIO, CFO or application development C. CFO, CEO, or CIO D. Application development, CFO or CEO

Answer 32

C. CFO, CEO, or CIO

Question 33

Tactical security plans are best used to A. Establish high-level security policies B. Enable enterprise/entity-wide security management C. Reduce Downtime D. Deploy new security technology

Answer 33

D. Deploy new security technology

Question 34

Who is accountable for implementing information security A. Everyone B. Senior Managment C. Security Officer D. Data owners

Answer 34

C. Security Officer

Question 35

Security is likely to be most expensive when addressed in which phase A. Design B. Rapid prototyping C. Testing D. Implementation

Answer 35

D. Implementation

Question 36

Information systems auditors help the organization A. Mitigate compliance issues B. Establish an effective control enviornment C. Identify control gaps D. Address information technology for financial statements

Answer 36

C. Identify control gaps

Question 37

Long duration security projects A. Provide greater organizational value B. Increase return on Investment C. Minimize risk D. Increase completion risk

Answer 37

D. Increase completion risk

Question 38

Setting clear security roles has the following benefits A. Establishes personal accountability, reduces cross-training requirements and reduces departmental turf battles B. Enables continuous improvement, reduces cross-training requirements and reduces departmental turf battles C. Establishes personal accountability, establishes continuous improvement and reduces turf battles D. Reduces departmental turf battles, reduces cross-training requirements and establishes personal accountability

Answer 38

C. Establishes personal accountability, establishes continuous improvement and reduces turf battles

Question 39

Well-written security program policies are best reviewed A. At least annually or at pre-determined organization changes B. After major project implementation C. When application or operating systems are updated D. When procedures need to be modified

Answer 39

A. At least annually or at pre-determined organization changes

Question 40

Orally obtaining a password from an employee is the result of A. Social engineering B. Weak authentication methods C. Ticket-granting server authorization D. Voice recognition software

Answer 40

A. Social engineering

Question 41

A security policy which will remain relevant and meaningful over time includes the following A. Directive words such as shall, must, or will, technical specifications and is short in length B. Defined policy development process, short in length and contains directive words such as shall, must or will C. Short in length, technical specifications and contain directive words such as shall, must or will D. Directive words such as shall, must, or will, defined policy development process and is short in length

Answer 41

D. Directive words such as shall, must, or will, defined policy development process and is short in length

Question 42

The ability of one person in the finance department to add vendors to the vendor database and subsequently pay the vendor violates which concept A. A well-formed transaction B. Separation of Duties C. Least privilege D. Data Sensitivity level

Answer 42

B. Separation of Duties

Question 43

Collusion is best mitigated through A. Job rotation B. Data classification C. Defining job sensitivity label D. Least privilege

Answer 43

A. Job rotation

Question 44

Data access decisions are best made by A. User managers B. Data owners C. Senior management D. Application developers

Answer 44

B. Data owners