Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CISSP > Domain 1: Security and Risk Management > Flashcards

Domain 1: Security and Risk Management Flashcards

1
Q

When can executives be charged with negligence?
A.
If they follow the transborder laws
B.
If they do not properly report and prosecute attackers
C.
If they properly inform users that they may be monitored
D.
If they do not practice due care when protecting resources

A

A

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

To better deal with computer crime, several legislative bodies have taken what steps in their strategy?
A.
Expanded several privacy laws
B.
Broadened the definition of property to include data
C.
Required corporations to have computer crime insurance
D.
Redefined transborder issues

A

A

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Which factor is the most important item when it comes to ensuring security is successful in an organization?
A.
Senior management support
B.
Effective controls and implementation methods
C.
Updated and relevant security policies and procedures
D.
Security awareness by all employees

A

A

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q 
Which of the following standards would be most useful to you in ensuring your information security management system follows industry best practices?
A.
NIST SP 800-53
B.
Six Sigma
C.
ISO/IEC 27000 series
D.
COSO IC
A

A

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Which of the following is true about data breaches?
A.
They are exceptionally rare.
B.
They always involve personally identifiable information (PII).
C.
They may trigger legal or regulatory requirements.
D.
The United States has no laws pertaining to data breaches.

A

A

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

When is it acceptable to not take action on an identified risk?
A.
Never. Good security addresses and reduces all risks.
B.
When political issues prevent this type of risk from being addressed.
C.
When the necessary countermeasure is complex.
D.
When the cost of the countermeasure outweighs the value of the asset and potential loss.

A

A

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q 
Which is the most valuable technique when determining if a specific security control should be implemented?
A.
Risk analysis
B.
Cost/benefit analysis
C.
ALE results
D.
Identifying the vulnerabilities and threats causing the risk
A

A

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Which best describes the purpose of the ALE calculation?
A.
Quantifies the security level of the environment
B.
Estimates the loss possible for a countermeasure
C.
Quantifies the cost/benefit result
D.
Estimates the loss potential of a threat in a span of a year

A

A

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q 
How do you calculate residual risk?
A.
Threats × risks × asset value
B.
(Threats × asset value × vulnerability) × risks
C.
SLE × frequency = ALE
D.
(Threats × vulnerability × asset value) × controls gap
A

A

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Why should the team that will perform and review the risk analysis information be made up of people in different departments?
A.
To make sure the process is fair and that no one is left out.
B.
It shouldn’t. It should be a small group brought in from outside the organization because otherwise the analysis is biased and unusable.
C.
Because people in different departments understand the risks of their department. Thus, it ensures the data going into the analysis is as close to reality as possible.
D.
Because the people in the different departments are the ones causing the risks, so they should be the ones held accountable.

A

A

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Which best describes a quantitative risk analysis?
A.
A scenario-based analysis to research different security threats
B.
A method used to apply severity levels to potential loss, probability of loss, and risks
C.
A method that assigns monetary values to components in the risk assessment
D.
A method that is based on gut feelings and opinions

A

A

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Why is a truly quantitative risk analysis not possible to achieve?
A.
It is possible, which is why it is used.
B.
It assigns severity levels. Thus, it is hard to translate into monetary values.
C.
It is dealing with purely quantitative elements.
D.
Quantitative measures must be applied to qualitative elements.

A

A

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is COBIT and where does it fit into the development of information security systems and security programs?
A.
Lists of standards, procedures, and policies for security program development
B.
Current version of ISO 17799
C.
A framework that was developed to deter organizational internal fraud
D.
Open standards for control objectives

A

A

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q 
What is the ISO/IEC 27799 standard?
A.
A standard on how to protect personal health information
B.
The new version of BS 17799
C.
Definitions for the new ISO 27000 series
D.
The new version of NIST SP 800-60
A

A

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

OCTAVE, NIST SP 800-30, and AS/NZS 4360 are different approaches to carrying out risk management within companies and organizations. What are the differences between these methods?
A.
NIST SP 800-30 and OCTAVE are corporate based, while AS/NZS is international.
B.
NIST SP 800-30 is IT based, while OCTAVE and AS/NZS 4360 are corporate based.
C.
AS/NZS is IT based, and OCTAVE and NIST SP 800-30 are assurance based.
D.
NIST SP 800-30 and AS/NZS are corporate based, while OCTAVE is international.

A

A

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Use the following scenario to answer Questions 14–16. A server that houses sensitive data has been stored in an unlocked room for the last few years at Company A. The door to the room has a sign on the door that reads “Room 1.” This sign was placed on the door with the hope that people would not look for important servers in this room. Realizing this is not optimum security, the company has decided to install a reinforced lock and server cage for the server and remove the sign. The company has also hardened the server’s configuration and employed strict operating system access controls.

The fact that the server has been in an unlocked room marked “Room 1” for the last few years means the company was practicing which of the following?
A.
Logical security
B.
Risk management
C.
Risk transference
D.
Security through obscurity
A

A

17
Q

Use the following scenario to answer Questions 14–16. A server that houses sensitive data has been stored in an unlocked room for the last few years at Company A. The door to the room has a sign on the door that reads “Room 1.” This sign was placed on the door with the hope that people would not look for important servers in this room. Realizing this is not optimum security, the company has decided to install a reinforced lock and server cage for the server and remove the sign. The company has also hardened the server’s configuration and employed strict operating system access controls.

The new reinforced lock and cage serve as which of the following?
A.
Logical controls
B.
Physical controls
C.
Administrative controls
D.
Compensating controls
A

A

18
Q

Use the following scenario to answer Questions 14–16. A server that houses sensitive data has been stored in an unlocked room for the last few years at Company A. The door to the room has a sign on the door that reads “Room 1.” This sign was placed on the door with the hope that people would not look for important servers in this room. Realizing this is not optimum security, the company has decided to install a reinforced lock and server cage for the server and remove the sign. The company has also hardened the server’s configuration and employed strict operating system access controls.

The operating system access controls comprise which of the following?
A.
Logical controls
B.
Physical controls
C.
Administrative controls
D.
Compensating controls
A

A

19
Q 
Use the following scenario to answer Questions 19–21. A company has an e-commerce website that carries out 60 percent of its annual revenue. Under the current circumstances, the annualized loss expectancy for a website against the threat of attack is $92,000. After implementing a new application-layer firewall, the new annualized loss expectancy would be $30,000. The firewall costs $65,000 per year to implement and maintain.
19.
How much does the firewall save the company in loss expenses?
A.
$62,000
B.
$3,000
C.
$65,000
D.
$30,000
A

A

20
Q

Use the following scenario to answer Questions 19–21. A company has an e-commerce website that carries out 60 percent of its annual revenue. Under the current circumstances, the annualized loss expectancy for a website against the threat of attack is $92,000. After implementing a new application-layer firewall, the new annualized loss expectancy would be $30,000. The firewall costs $65,000 per year to implement and maintain.

What is the value of the firewall to the company?
A.
$62,000
B.
$3,000
C.
–$62,000
D.
–$3,000
A

A

21
Q

Use the following scenario to answer Questions 19–21. A company has an e-commerce website that carries out 60 percent of its annual revenue. Under the current circumstances, the annualized loss expectancy for a website against the threat of attack is $92,000. After implementing a new application-layer firewall, the new annualized loss expectancy would be $30,000. The firewall costs $65,000 per year to implement and maintain.

Which of the following describes the company’s approach to risk management?
A.
Risk transference
B.
Risk avoidance
C.
Risk acceptance
D.
Risk mitigation
A

A

22
Q

Use the following scenario to answer Questions 22–24. A small remote office for a company is valued at $800,000. It is estimated, based on historical data, that a fire is likely to occur once every ten years at a facility in this area. It is estimated that such a fire would destroy 60 percent of the facility under the current circumstances and with the current detective and preventative controls in place.

22.
What is the single loss expectancy (SLE) for the facility suffering from a fire?
A.
$80,000
B.
$480,000
C.
$320,000
D.
60%
A

A

23
Q

Use the following scenario to answer Questions 22–24. A small remote office for a company is valued at $800,000. It is estimated, based on historical data, that a fire is likely to occur once every ten years at a facility in this area. It is estimated that such a fire would destroy 60 percent of the facility under the current circumstances and with the current detective and preventative controls in place.

23.
What is the annualized rate of occurrence (ARO)?
A.
1
B.
10
C.
.1
D.
.01
A

A

24
Q

Use the following scenario to answer Questions 22–24. A small remote office for a company is valued at $800,000. It is estimated, based on historical data, that a fire is likely to occur once every ten years at a facility in this area. It is estimated that such a fire would destroy 60 percent of the facility under the current circumstances and with the current detective and preventative controls in place.

24.
What is the annualized loss expectancy (ALE)?
A.
$480,000
B.
$32,000
C.
$48,000
D.
.6
A

A

25
Q

25.
The international standards bodies ISO and IEC developed a series of standards that are used in organizations around the world to implement and maintain information security management systems. The standards were derived from the British Standard 7799, which was broken down into two main pieces. Organizations can use this series of standards as guidelines, but can also be certified against them by accredited third parties. Which of the following are incorrect mappings pertaining to the individual standards that make up the ISO/IEC 27000 series?
i.
ISO/IEC 27001 outlines ISMS implementation guidelines, and ISO/IEC 27003 outlines the ISMS program’s requirements.
ii.
ISO/IEC 27005 outlines the audit and certification guidance, and ISO/IEC 27002 outlines the metrics framework.
iii.
ISO/IEC 27006 outlines the program implementation guidelines, and ISO/IEC 27005 outlines risk management guidelines.
iv.
ISO/IEC 27001 outlines the code of practice, and ISO/IEC 27004 outlines the implementation framework.

A.
i, iii
B.
i, ii
C.
ii, iii, iv
D.
i, ii, iii, iv
A

A

26
Q

26.
The information security industry is made up of various best practices, standards, models, and frameworks. Some were not developed first with security in mind, but can be integrated into an organizational security program to help in its effectiveness and efficiency. It is important to know of all of these different approaches so that an organization can choose the ones that best fit its business needs and culture. Which of the following best describes the approach(es) that should be put into place if an organization wants to integrate a way to improve its security processes over a period of time?
i.
Information Technology Infrastructure Library should be integrated because it allows for the mapping of IT service process management, business drivers, and security improvement.
ii.
Six Sigma should be integrated because it allows for the defects of security processes to be identified and improved upon.
iii.
Capability Maturity Model Integration should be integrated because it provides distinct maturity levels.
iv.
The Open Group Architecture Framework should be integrated because it provides a structure for process improvement.
A.
i, iii
B.
ii, iii, iv
C.
ii, iii
D.
ii, iv

A

A

CISSP (1 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions