Flashcards in Domain 3 - Information Security Governance and Risk Management Deck (25):
2. The basic component of a General Program Policy consists of four basic elements. Among these elements are Purpose or topic, Scope, and Responsibilities. Which of the following is the fourth component?
d. Supplemental information
Explanation: Answer c is the correct answer, and can be found in the cited reference. Answer a is an element found in a Topic specific policy, Answer b is sometimes used by policy writers to explain why policy was written and answer d is usually found in an application-specific policy.
15. Making computer users aware of their security responsibilities and presenting them with the correct practices helps change their behavior. This process of raising end-user consciousness is part of a:
a. In-house education program
b. A new product training course
c. Employee awareness program
d. Skill development
Explanation: Answer c is the correct answer, and is found in the cited reference Answers a, b and d are related to the overall process of improving end-user use of security systems, but the mainly focus on learning to use specific tools, where awareness is a process in behavior modification.
28. Agreements used to give notice that information is confidential or secret to employees and other third parties is termed as either a confidentiality agreement or
a. Employment agreement
b. Condition of employment
c. Non-disclosure agreement
d. Top-secret clearance
Explanation: Answer c is the correct answer and can be found in the ISO 17799. Answer a is generally used with senior level executives and employees with access to competitive advantage information. Answer b might find a non-disclosure agreement as a requirement for employment. Answer d is a clearance level usually restricted to Department of Defense-type information access.
29. What kind of document is a high-level statement of enterprise beliefs, goals, and objectives and the general means for their attainment for a specified subject area?
Explanation: Answer a is the correct answer, and can be found in the cited reference. Answer b is mandatory, step-by-step processes required to complete a specific task. Answer c is mandatory actions, devices or methods used to support a policy and answer d is recommended actions, devices or methods that can be adopted but are not mandatory.
34. The loss potential that exists as the result of the threat-vulnerability pairs. Reducing either the threat or the vulnerability reduces what?
Explanation: Answer a is correct, and can be found in the cited reference. Answer b is the element in risk analysis that tries to identify what level of damage might occur if a threat were to be successful. Answers c and d are sub-elements of the overall risk definition.
39. The ISO 17799 International Standard on Information Security characterizes information security as the preservation of CIA: Confidentiality, Integrity and which of the following?
Explanation: Answer c is the correct answer, and is taken from the cited reference The other answers are incorrect because they are generally viewed as elements of Integrity.
42. The following describes what information security tenant: baseline versions of a product are saved and protected in such a way that they will exist even if something happens to the original version.
a. Change control
b. Version control
c. Software deployment
d. Configuration management
Explanation: Answer d is the correct answer, and can be found in Building Quality Software. Answer a is a process in which system changes are authorized. Answer b is the process used to ensure that all areas have the proper software level or release. Answer c is the process for the orderly distribution of products to the user community.
66. The efficient use of resources when attempting to mitigate a business risk is often described as a positive:
a. Operating expense ratio
b. Return on investment
c. Risk Assessment
d. Security Analysis
Explanation: Answer b is the correct answer, and can be found in the reference below. Answer a is a method used to measure management’s ability to control operating expenses. Answer c is a term that represents the assignment of value to assets, threat frequency, and other elements of chance. Answer d is a method to review security controls.
96. A possible danger to a system, whether it is a person, thing or event that might exploit a vulnerability of the system is termed as a:
Explanation: Answer d is the correct answer, and is taken from the reference below. Answers a, b and c are incorrect in that they fail to reflect the level of severity a threat poses to a system.
99. The characteristic of information being disclosed only to authorized persons, entities, and processes at authorized times and in the authorized manner is know as:
Explanation: Answer d is the answer and is found in the Generally Accepted System Security Principles (GASSP). Answer a is the characteristics of being accurate, answer b is the characteristic of information being accessible and answer c is the ability to audit.
120. The process of investigating a target environment and the relationships of dangers to the target is known in information security circles as:
a. Value analysis
b. Risk analysis
c. Risk assessment
d. Safeguard checking
Explanation: Answer b is the correct, and is found in the cited reference. Answer a is another form of qualitative risk analysis and answer c is a process to assign a value to assets. Answer d is a post risk analysis process usually found in a vulnerability assessment.
124. The absence or weakness of a risk-reducing safeguard is know as a:
Explanation: Answer d is the correct answer and can be found in the cited reference. Answer a is the degree to which there is less than complete confidence in the value of any element of the risk assessment. Answer b is the process of identifying the occurrence of an event and the possible agent involved. Answer c is the specific instance of the condition of being unduly exposed to losses.
149. The portion of risk that remains due to management decisions, unconsidered factors and/or incorrect conclusions is termed:
b. Residual risk
d. Threat factors
Explanation: Answer b is the correct answer and can be found in the cited reference. Answer a is what occurs if corrective actions are inadequate, and c is a policy one buys to transfer the cost to a third-party. Answer d are factors that can impact an asset.
159. Any action, device, procedure, technique, or other process that reduces the vulnerability of a system or asset to an acceptable level is best identified as a:
c. Safety measure
Explanation: Answer d is the correct answer, and is found in the cited reference. Answer a is another form a countermeasure, answer b is a reason by which countermeasures might be installed and answer c is a combination of answers a and d.
165. The characteristics of a resource or an asset which implies its value or importance, and may include its vulnerability is known as:
a. Public data
c. Internal Use
Explanation: Answer b is the correct answer and can be found in the cited reference. Answers a and c are levels usually found in an information classification system. Answer d is an element in a risk analysis process.
181. General statements designed to achieve the policy objectives by providing a framework within which to implement procedures. Where standards are mandatory, these are recommendations.
Explanation: The correct answer is a and can be found in the cited reference. Answer b is the management statement of direction. Answer c is what generally starts the cycle of policy, standard and guideline development. Answer d is the mandatory step-by-step process to complete a task.
183. Something of value or what security professionals are trying to protect. In can include data, information, personnel, facilities, applications, hardware, software, or transmission devices. This item of value known in information security as:
d. Top Secret
Explanation: Answer a is the answer, and can be found in the cited reference. Answer b is a type of asset as is answer c. Answer d is a classification level for information.
184. In a policy on employee responsibilities for handling organization information, this individual: the creator of the information or the primary user of the information is classified as the:
Explanation: Answer d is the correct answer, and is found in the reference cited below. Answers a and b refer to the individual or entity charged with keeping and protecting the information based on the requirements identified by the owner. Answer c is the party granted the right to use the information.
193. The employee, department or third-party entity that is entrusted with ensuring that information assets or resources are appropriately maintained, secured, processed, archived and available as directed by the owner is the:
Explanation: the correct answer is a and is found in the cited reference. Answer b is the entity authorized by the owner to user the resource as approved. Answer c is the group required to have policies and to support them. Answer d is the group or individual (Information Systems Security Officer) charged with creates a security architecture to support the business objectives.
194. Mandatory activities, actions, rules, or regulations designed to provide policies with the support structure and specific direction are?
Explanation: Answer d is the correct answer, and is taken verbatim from the reference cited. Answer a is incorrect because a guideline is not mandatory. Answers b and c are spell out specific steps that must be taken to complete a process.
218. The following statement describes what information security tenant? In order for Management to be able to rely on information that is as intended and is not contaminated or corrupted by malicious acts, uncorrected error conditions, or other failures.
c. Access Control
Explanation: Answer d is the correct answer, and can be found in the GASSP. Answer a is part of the audit process, answer b is the process to ensure system users are who the claim to be and answer c is a process to allow authorized users to access information, transactions or other system functions.
226. A classic form of Risk Analysis was presented to the information security profession when it was included in the FIPS PUB 65 in 1979. This process requires the use of the formula of Loss = Impact X Frequency of Occurrence. The results will give the user the:
a. Threat analysis
b. Quantitative risk analysis
c. Annual loss exposure
d. Frequency of threat
Explanation: Answer c is correct, and is found in the cited reference. Answer a is another form of risk analysis created by FEMA. Answer bB is one of the two major classifications of risk analysis and answer d is an element in ALE.
229. The process of identifying, controlling and minimizing or eliminating security risks that may affect information systems, for an acceptable cost is which of the following?
a. Vulnerability assessment
b. Risk management
c. Information security policy
d. Safeguard review
Explanation: Answer b is the correct answer, and is taken from ISO 17799. Answers a and c are similar in that both address the process of reviewing controls after they have been implemented. Answer d relates to assessment of controls or safeguards and is part of the Risk Management process.
236. The mandatory, step-by-step process that must be done in order to complete a task or assignment are known as:
Explanation: Answer d is the correct answer and can be found in Creating Effective Manuals. Answer a addresses high-level management directives and the general means for there completion. Answer b relates to the mandatory actions or requirements that support policies and answer c is for the non-mandatory actions that can be used to support a policy.