Flashcards in Information Security Guidelines and Risk Managerment Deck (44)
When seeking to hire new employees, what is the first step?
A) Create a job description.
B) Set position classification.
C) Screen candidates.
D) Request resumes.
Create a job description.
The first step in hiring new employees is to create a job description. Without a job description, there is no consensus on what type of individual needs to be found and hired.
Which of the following describes the freedom from being observed, monitored, or examined without consent or knowledge?
One definition of privacy is freedom from being observed, monitored, or examined without consent or knowledge.
Which of the following is typically not a characteristic considered when classifying data?
B) Size of object
C) Useful lifetime
D) National security implications
Size of object
Size is not a criterion for establishing data classification. When classifying an object, you should take value, lifetime, and security implications into consideration.
Which of the following would generally not be considered an asset in a risk analysis?
A) A development process
B) An IT infrastructure
C) A proprietary system resource
D) Users' personal files
Users' personal files
The personal files of users are not usually considered assets of the organization and thus are not considered in a risk analysis.
You've performed a basic quantitative risk analysis on a specific threat/vulnerability/risk relation. You select a possible countermeasure. When performing the calculations again, which of the following factors will change?
A) Exposure factor
B) Single loss expectancy
C) Asset value
D) Annualized rate of occurrence
Annualized rate of occurrence
A countermeasure directly affects the annualized rate of occurrence, primarily because the countermeasure is designed to prevent the occurrence of the risk, thus reducing its frequency per year.
What ensures that the subject of an activity or event cannot deny that the event occurred?
A) CIA Triad
D) Hash totals
Nonrepudiation ensures that the subject of an activity or event cannot deny that the event occurred.
What are the two common data classification schemes?
A) Military and private sector
B) Personal and government
C) Private sector and unrestricted sector
D) Classified and unclassified
Military and private sector
Military (or government) and private sector (or commercial business) are the two common data classification schemes.
A data custodian is responsible for securing resources after ___________ has assigned the resource a security label.
A) Senior management
B) Data owner
D) Security staff
The data owner must first assign a security label to a resource before the data custodian can secure the resource appropriately.
Which of the following is not specifically or directly related to managing the security function of an organization?
A) Worker job satisfaction
C) Information security strategies
Worker job satisfaction
Managing the security function often includes assessment of budget, metrics, resources, information security strategies, and assessing the completeness and effectiveness of the security program.
The CIA Triad comprises what elements?
A) Contiguousness, interoperable, arranged
B) Authentication, authorization, accountability
C) Capable, available, integral
D) Availability, confidentiality, integrity
Availability, confidentiality, integrity
The components of the CIA Triad are confidentiality, availability, and integrity.
Which of the following is a primary purpose of an exit interview?
A) To return the exiting employee's personal belongings
B) To review the nondisclosure agreement
C) To evaluate the exiting employee's performance
D) To cancel the exiting employee's network access accounts
To review the nondisclosure agreement
The primary purpose of an exit interview is to review the nondisclosure agreement (NDA) and other liabilities and restrictions placed on the former employee based on the employment agreement and any other security-related documentation.
Which of the following is not a valid definition for risk?
A) An assessment of probability, possibility, or chance
B) Anything that removes a vulnerability or protects against one or more specific threats
C) Risk = threat * vulnerability
D) Every instance of exposure
Anything that removes a vulnerability or protects against one or more specific threats
Anything that removes a vulnerability or protects against one or more specific threats is considered a safeguard or a countermeasure, not a risk.
When a safeguard or a countermeasure is not present or is not sufficient, what remains?
A vulnerability is the absence or weakness of a safeguard or countermeasure.
What security control is directly focused on preventing collusion?
A) Principle of least privilege
B) Job descriptions
C) Separation of duties
D) Qualitative risk analysis
Separation of duties
The likelihood that a co-worker will be willing to collaborate on an illegal or abusive scheme is reduced because of the higher risk of detection created by the combination of separation of duties, restricted job responsibilities, and job rotation.
Data classifications are used to focus security controls over all but which of the following?
Layering is a core aspect of security mechanisms, but it is not a focus of data classifications.
When an employee is to be terminated, which of the following should be done?
A) Inform the employee a few hours before they are officially terminated.
B) Disable the employee's network access just as they are informed of the termination.
C) Send out a broadcast email informing everyone that a specific employee is to be terminated.
D) Wait until you and the employee are the only people remaining in the building before announcing the termination.
Disable the employee's network access just as they are informed of the termination.
You should remove or disable the employee's network user account immediately before or at the same time they are informed of their termination.
Which of the following represents accidental or intentional exploitations of vulnerabilities?
A) Threat events
C) Threat agents
Threat events are accidental or intentional exploitations of vulnerabilities.
How is single loss expectancy (SLE) calculated?
A) Threat + vulnerability
B) Asset value ($) * exposure factor
C) Annualized rate of occurrence * vulnerability
D) Annualized rate of occurrence * asset value * exposure factor
Asset value ($) * exposure factor
SLE is calculated using the formula SLE = asset value ($) * exposure factor (SLE = AV * EF).
Which of the following is not true?
A) Violations of confidentiality include human error.
B) Violations of confidentiality include management oversight.
C) Violations of confidentiality are limited to direct intentional attacks.
D) Violations of confidentiality can occur when a transmission is not properly encrypted.
Violations of confidentiality are limited to direct intentional attacks.
Violations of confidentiality are not limited to direct intentional attacks. Many instances of unauthorized disclosure of sensitive or confidential information are due to human error, oversight, or ineptitude.
What element of data categorization management can override all other forms of access control?
B) Physical access
C) Custodian responsibilities
D) Taking ownership
Ownership grants an entity full capabilities and privileges over the object they own. The ability to take ownership is often granted to the most powerful accounts in an operating system because it can be used to overstep any access control limitations otherwise implemented.
Confidentiality is dependent upon which of the following?
Without integrity, confidentiality cannot be maintained.
Which of the following is a principle of the CIA Triad that means authorized subjects are granted timely and uninterrupted access to objects?
Availability means that authorized subjects are granted timely and uninterrupted access to objects.
Which of the following is the lowest military data classification for classified data?
C) Sensitive but unclassified
Of the options listed, secret is the lowest classified military data classification. Keep in mind that items labeled as confidential, secret, and top secret are collectively known as classified, and confidential is below secret in the list.
A portion of the ____________ is the logical and practical investigation of business processes and organizational policies. This process/policy review ensures that the stated and implemented business tasks, systems, and methodologies are practical, efficient, cost-effective, but most of all (at least in relation to security governance) that they support security through the reduction of vulnerabilities and the avoidance, reduction, or mitigation of risk.
A) Hybrid assessment
B) Risk aversion process
C) Countermeasure selection
D) Documentation review
A portion of the documentation review is the logical and practical investigation of business processes and organizational policies.
When evaluating safeguards, what is the rule that should be followed in most cases?
A) The expected annual cost of asset loss should not exceed the annual costs of safeguards.
B) The annual costs of safeguards should equal the value of the asset.
C) The annual costs of safeguards should not exceed the expected annual cost of asset loss.
D) The annual costs of safeguards should not exceed 10 percent of the security budget.
The annual costs of safeguards should not exceed the expected annual cost of asset loss.
The annual costs of safeguards should not exceed the expected annual cost of asset loss.
Which of the following is not considered a violation of confidentiality?
A) Stealing passwords
C) Hardware destruction
D) Social engineering
Hardware destruction is a violation of availability and possibly integrity. Violations of confidentiality include capturing network traffic, stealing password files, social engineering, port scanning, shoulder surfing, eavesdropping, and sniffing.
Which of the following is not considered an example of data hiding?
A) Preventing an authorized reader of an object from deleting that object
B) Keeping a database from being accessed by unauthorized visitors
C) Restricting a subject at a lower classification level from accessing data at a higher classification level
D) Preventing an application from accessing hardware directly
Preventing an authorized reader of an object from deleting that object
Preventing an authorized reader of an object from deleting that object is just an example of access control, not data hiding. If you can read an object, it is not hidden from you.
Which of the following is the most important and distinctive concept in relation to layered security?
Layering is the deployment of multiple security mechanisms in a series. When security restrictions are performed in a series, they are performed one after the other in a linear fashion. Therefore, a single failure of a security control does not render the entire solution ineffective.
If an organization contracts with outside entities to provide key business functions or services, such as account or technical support, what is the process called that is used to ensure that these entities support sufficient security?
A) Asset identification
B) Third-party governance
C) Exit interview
D) Qualitative analysis
Third-party governance is the application of security oversight on third parties that your organization relies upon.