Domain 1: Security and Risk Management Flashcards
When can executives be charged with negligence?
A.
If they follow the transborder laws
B.
If they do not properly report and prosecute attackers
C.
If they properly inform users that they may be monitored
D.
If they do not practice due care when protecting resources
A
To better deal with computer crime, several legislative bodies have taken what steps in their strategy?
A.
Expanded several privacy laws
B.
Broadened the definition of property to include data
C.
Required corporations to have computer crime insurance
D.
Redefined transborder issues
A
Which factor is the most important item when it comes to ensuring security is successful in an organization?
A.
Senior management support
B.
Effective controls and implementation methods
C.
Updated and relevant security policies and procedures
D.
Security awareness by all employees
A
Which of the following standards would be most useful to you in ensuring your information security management system follows industry best practices? A. NIST SP 800-53 B. Six Sigma C. ISO/IEC 27000 series D. COSO IC
A
Which of the following is true about data breaches?
A.
They are exceptionally rare.
B.
They always involve personally identifiable information (PII).
C.
They may trigger legal or regulatory requirements.
D.
The United States has no laws pertaining to data breaches.
A
When is it acceptable to not take action on an identified risk?
A.
Never. Good security addresses and reduces all risks.
B.
When political issues prevent this type of risk from being addressed.
C.
When the necessary countermeasure is complex.
D.
When the cost of the countermeasure outweighs the value of the asset and potential loss.
A
Which is the most valuable technique when determining if a specific security control should be implemented? A. Risk analysis B. Cost/benefit analysis C. ALE results D. Identifying the vulnerabilities and threats causing the risk
A
Which best describes the purpose of the ALE calculation?
A.
Quantifies the security level of the environment
B.
Estimates the loss possible for a countermeasure
C.
Quantifies the cost/benefit result
D.
Estimates the loss potential of a threat in a span of a year
A
How do you calculate residual risk? A. Threats × risks × asset value B. (Threats × asset value × vulnerability) × risks C. SLE × frequency = ALE D. (Threats × vulnerability × asset value) × controls gap
A
Why should the team that will perform and review the risk analysis information be made up of people in different departments?
A.
To make sure the process is fair and that no one is left out.
B.
It shouldn’t. It should be a small group brought in from outside the organization because otherwise the analysis is biased and unusable.
C.
Because people in different departments understand the risks of their department. Thus, it ensures the data going into the analysis is as close to reality as possible.
D.
Because the people in the different departments are the ones causing the risks, so they should be the ones held accountable.
A
Which best describes a quantitative risk analysis?
A.
A scenario-based analysis to research different security threats
B.
A method used to apply severity levels to potential loss, probability of loss, and risks
C.
A method that assigns monetary values to components in the risk assessment
D.
A method that is based on gut feelings and opinions
A
Why is a truly quantitative risk analysis not possible to achieve?
A.
It is possible, which is why it is used.
B.
It assigns severity levels. Thus, it is hard to translate into monetary values.
C.
It is dealing with purely quantitative elements.
D.
Quantitative measures must be applied to qualitative elements.
A
What is COBIT and where does it fit into the development of information security systems and security programs?
A.
Lists of standards, procedures, and policies for security program development
B.
Current version of ISO 17799
C.
A framework that was developed to deter organizational internal fraud
D.
Open standards for control objectives
A
What is the ISO/IEC 27799 standard? A. A standard on how to protect personal health information B. The new version of BS 17799 C. Definitions for the new ISO 27000 series D. The new version of NIST SP 800-60
A
OCTAVE, NIST SP 800-30, and AS/NZS 4360 are different approaches to carrying out risk management within companies and organizations. What are the differences between these methods?
A.
NIST SP 800-30 and OCTAVE are corporate based, while AS/NZS is international.
B.
NIST SP 800-30 is IT based, while OCTAVE and AS/NZS 4360 are corporate based.
C.
AS/NZS is IT based, and OCTAVE and NIST SP 800-30 are assurance based.
D.
NIST SP 800-30 and AS/NZS are corporate based, while OCTAVE is international.
A