Chapter4

Question 1

List the 6 steps to developing a complaint security program

Answer 1

1 - Identify information Assets
2- Conducting risk assessment
3 - Selecting & Implementing security controls
4 - Monitor & Test the controls
5 - Review & Adjust the program
6 - Oversee third party service providers

Question 2

Which step is the baseline for security controls?

Answer 2

Step 2: Conducting a risk assessment

Question 3

What is a threat?

Answer 3

Anything that has the potential to cause harm

Question 4

What is a Vulnerability?

Answer 4

Flaw or weakness that can be exploited.

Question 5

What are the 3 security controls?

Answer 5

Physical Security Controls
Technical Security Controls
Administrative Security Controls

Question 6

Factors citied in security statutes and regulations:

Answer 6

Organization size and combabilities
Nature & Scope of the business
Nature and sensitivity of information
State of the art tech.
Cost of the security
Infrastructure Capabilities

Question 7

Businesses must conduct periodic internal reviews to evaluate and adjust the information security program as a result of:

Answer 7

Testing & Monitoring
Material Changes to the business
Changes in technology
Changes in threats
Environmental or operational changes

Question 8

What are the 3 basic requirements on businesses for outsourcing?

Answer 8

1- Exercising due diligence in selecting service provider
2- Contractually require outsource provider to implement appropriate security measures
3- Monitor the performance of the outsource provider

Question 9

Physical Security Controls focuses on?

Answer 9

Facility and equipment

Media

Question 10

Technical security controls focus on?

Answer 10

Access Controls
Identification and authentication
System and service acquisition Controls
System and information Integrity

Question 11

Administrative Security Controls focus on?

Answer 11

Personal Security
Employee awareness and training
Contigency

Question 11

Administrative Security Controls focus on?

Answer 11

Personal Security
Employee awareness and training
Contingency Planning, backup & disaster recovery
Incident Response Plan

Question 12

3 categorization to protect facility and equipment

Answer 12

Physical access restriction
Protection against technological failures
Protection against environmental threats

Question 13

Security Laws & Regulations require to protect data media from being:

Answer 13

Read
Copied
Altered
Removed

Question 14

Controlling access to system and data requires?

Answer 14

Identification
Authentication
Authorization

Question 15

To manage the acquisition process should include:

Answer 15

Imposing appropriate security requirements
Design and implementation of the system
Testing & Evaluation of security

Question 16

System and data integrity includes:

Answer 16

System Integrity
Dats integrity
Malicious code protection
Instrusion detection

Question 16

System and data integrity includes:

Answer 16

System Integrity (protect from unauthorized changes)
Dats integrity (protect from unauthorized alteration or destruction)
Malicious code protection
Intrusion detection

Question 17

Laws and regulations require to verify employees, agents and contractors to have:

Answer 17

Technical Expertise
Personal Integrity
Reliability

Question 18

Contingency Plan should include:

Answer 18

System & data backup procedures
Recovery Plan
Alternate source storage
Backup & retention procedure
Proper immediately deletion after they can not be used
Appropriate mechanism to recovery
Testing the plan on a regular basis
Regular reviewing of the plan

Question 19

Incidence Response Plan should include:

Answer 19

Incident Reporting
Incident Handling and response
Incident Monitoring and recordkeeping
Incident Response assistance
Training
Testing

Question 20

What is the purpose of Selecting and Implementing security controls?

Answer 20

To manage reduce the risk to an appropriate and reasonable level

Question 21

The implementation of the security law involves:

Answer 21

Categories of the security control

The key role of the risk assessment