Security And risk Management

Question 1

Need to know access

Answer 1

Confidentiality

Question 2

Information processed correctly and not modified by unauthorized persons and protecting data in transit

Answer 2

Integrity

Question 3

Ensuring systems are up and running so that persons can use them when they need them

Answer 3

Availability

Question 4

Who get access- who is authorized to speak behave access to the system

Answer 4

Availability

Question 5

Lashes, digital signatures, parity bits, separation of duties

Answer 5

Integrity

Question 6

Remote sites, backups, high availability, RAID levels,

Answer 6

Availability

Question 7

Validates appropriate policies, procedures and standards and guidelines are implemented to ensure business operations

Answer 7

Information Security Management

Question 8

Things measured on a long-term trends and illustrate the day-to-day workload

Answer 8

Metrics

Question 9

Who is responsible for Security

Answer 9

Everyone

Question 10

Who is ultimately responsible for Security

Answer 10

Executive Management/Executive Level

Question 11

Who does security report too?

Answer 11

Chain of command

Question 12

Detecting- pre-emptive measure made to avoid harm to other persons or their property

Answer 12

Due Diligence

Question 13

Caring is correcting

Answer 13

Due Care

Question 14

Legal term used to describe the care a “reasonable person” would exercise under given circumstances

Answer 14

Due Care

Question 15

Examples:
Background checks of employee credit checks of business partners 
Information security assessments 
Penetration testing
Contingency testing of backup systems

Answer 15

Due Diligence

Question 16

Dual use goods

Answer 16

Wassenaar Arrangement

Question 17

3 types of access control

Answer 17

Administrative
Physical
Technical

Question 18

Name 2 types of Risk

Answer 18

Likelihood

Impact

Question 19

What is C.I.A?

Answer 19

Confidentiality; Availability and Integrity

Question 20

idea that is certified and made public

Answer 20

Patent

Question 21

Expression of an idea

Answer 21

Copyright

Question 22

What organization concisely defines intellectual property?

Answer 22

World Intellectual Property Organization (WIPO)

Question 23

What laws explain what is an export?

Answer 23

International Traffic in Arms Regulations Act (ITAR:1976)

Question 24

What laws explain What is deemed export?

Answer 24

Export Administration Regulations Act Security (EAR:1979)

Question 25

What is the most common Dual-Use goods?

Answer 25

Cryptography

Question 26

Right and Obligations of individuals and Organizations with respect to the collection, use, retention and disclosure of personal information

Answer 26

Privacy

Question 27

Limits collection of personal data

Answer 27

Collection Limitation Principle

Question 28

data that should be relevant to the purposes for which they are to be used and to the extent necessary for those purpose

Answer 28

Data Quality Principle

Question 29

Personal data collected is specified not later than at the time of data collection and the subsequent use is limited to the fulfillment

Answer 29

Purpose Specification Principle

Question 30

data should not be disclosed , made available or used for purpose other than those specified except; with consent of the data subject

Answer 30

use Limitation Principle

Question 31

Personal data protected by Security Safeguards

Answer 31

Security Safeguard Principle

Question 32

openness of general policy about developments, practices and policies respect to personal data

Answer 32

Openness Principle

Question 33

An event that has the potential to do harm

Answer 33

Incident

Question 34

An event that is measurable or observable occurrence that involves any asset

Answer 34

Incident

Question 35

An incident that results in the disclosure or potential exposure of data

Answer 35

Breach

Question 36

Unauthorized acquisition of personal information maintained in computerized form by a person that compromises the security, confidentiality, or integrity of the personal information

Answer 36

Data Disclosure

Question 37

provides a common language for describing security incidents in a structured and repeatable manner

Answer 37

VERIS (The Vocabulary for Event Recording and Incident Sharing)

Question 38

Regulates the handling of personal information about individuals

Answer 38

Privacy Act

Question 39

sets national standards for the security of electronically protected health information

Answer 39

Health Insurance Portability and Accountability Act (HIPPA)

Question 40

certify the accuracy of financial information and penalties for fraudulent activity by providing outside auditors to review accuracy of financial statements

Answer 40

Sarbanes-Oxley Act

Question 41

standard that requires notice of data breaches of personal data breach to the competent national authority no later than 24 hours after detection

Answer 41

Regulation for Electronic Communications Service

Question 42

Ethical Standard that protects country

Answer 42

Global responsibilities

Question 43

Ethical Standard Protect State

Answer 43

National standard

Question 44

Ethical Standard Protect Company

Answer 44

Organizational standard

Question 45

What you do when no one is there to navigate what you do legally or illegal

Answer 45

Personal Standard

Question 46

Code of Ethic Canons

Answer 46

Protect Society (people)
Act Honorably (Honor)
Provide diligent and competent service to principals (Boss)
Advance and protect the profession (profession)

Question 47

components that support the implementation of security policy

Answer 47

Procedure, standards, guidelines, and baselines

Question 48

4 Steps in a BIA

Answer 48

Gather information, perform a vulnerability assessment, analyzing the information, Document the results

Question 49

An event or situation that if occurred, would prevent the organization from operating in its normal manner, if at all

Answer 49

Threat

Question 50

The amount of time the organization can function without that application before significant impact occurs

Answer 50

Recovery Time Objective (RTO) or Maximum Tolerable Downtime (MTD)

Question 51

How quickly you need to have that application information available after downtime has occurred

Answer 51

Recovery Time Objective (RTO)

Question 52

Refers to the point in time which data must be restored in order to successfully resume processing between the last backup and when the event occured

Answer 52

Recovery Point Objective (RPO)

Question 53

Reduce Risk of Collusion between individuals

Answer 53

Job Rotation

Question 54

to not have the same capability to execute all of the steps of a particular process

Answer 54

Separation of Duties

Question 55

access to sensitive data to do there job

Answer 55

Need to know

Question 56

Guidance that analyze risks and manage mitigation in alignment with business and compliance objective

Answer 56

GRC- Governance Risk Management and Compliance

Question 57

Data Protection Directive (DPD), Personal Information Protection and Electronic Documents Acts (PIPEDA), Personally Identifiable Information (PII), HIPAA and Gramm-Leach Bliley ACt (GLBA), Payment Card Industry (PCI) are all examples of what?

Answer 57

Privacy Requirements Compliance

Question 58

Idea that is certified and made public

Answer 58

Patent

Question 59

Contribute to regional and international security and stability by promoting transparency and greater responsibility in transfers of conventional arms and dual-goods and technolgies

Answer 59

The Wassenaar Arrangement (AR)

Question 60

Regulates the handling of personal information about individuals

Answer 60

The Privacy Act

Question 61

sets national standards for the security of electronically protected health information

Answer 61

Health insurance Portability and Accountability ACt (HIPPA)

Question 62

Top management must individually certify the accuracy of financial information and penalties for fraudulent financial activity are greater.

Answer 62

Sarbanes-Oxley Act

Question 63

European Electronic Communication Service providers are required to provide notice of data breaches of a personal data breach to the competent national authority no later than 24 hours after the detection of the personal data breach, when feasible

Answer 63

Regulation for Electronic Communication Service (EU)

Question 64

Procedures, standards, guidelines, and baselines are components that support the implementation of what?

Answer 64

Security Policy

Question 65

1st step in building the BC program

Answer 65

Project initiation and management

Question 66

Before the project can even start, it must have who’s support?

Answer 66

Senior/executive Management

Question 67

Procedures implanted to define the roles, responsibilities, policies and administrative functions needed to manage the control environment

Answer 67

Administrative Controls

Question 68

An estimate of how often a threat will be successful in exploiting a vulnerability over the period of a year

Answer 68

Annualized Rate of Occurrence (ARO)

Question 69

The principle that ensures that information is available and accessible to users

Answer 69

Availability

Question 70

An incident that results in the disclosure or potential exposure of data

Answer 70

Breach

Question 71

Controls and hat substitute for the loss of primary controls and mitigate risk down to an acceptable level

Answer 71

Compensating Controls

Question 72

Actions that ensure behavior that complies with established rules

Answer 72

Compliance

Question 73

Covers the expression of ideas rather than the ideas themselves; it usually protects artistic property such as writing, recordings, database, and computer programs.

Answer 73

Copyright

Question 74

Supports the principle of “Least Privilege” by providing that only authorized individuals, processes, or systems should have access to information on a need to know basis

Answer 74

Confidentiality

Question 75

Covers the expression of ideas rather than the ideas themselves, usually protected artistic property such as writings, recording, databases, and computer programs

Answer 75

Copyright

Question 76

Controls implemented to remedy circumstance, mitigate damage, or restore controls

Answer 76

Corrective Controls

Question 77

A breach for which it was confirmed that data was actually disclosed(not just exposed) to an unauthorized party

Answer 77

Data Disclosure

Question 78

Controls designed to signal warning when a security control has been breached

Answer 78

Detective Controls

Question 79

Controls designed to discourage people from violating security directives

Answer 79

Deterrent Controls

Question 80

Controls designed to specify acceptable rules of behavior within an organization

Answer 80

Directive Controls

Question 81

Is similar to Due care with the exception that it is a pre-preemptive measure made to avoid harm to other persons or their property

Answer 81

Due Diligence

Question 82

A process designed to identify potential events that may affect the entity, manage risk so it is within its risk appetite, and provide reasonable assurance regarding the achievement of entity objectives

Answer 82

Enterprise Risk Management

Question 83

Authorized the President to regulate export of civilian goods and technologies that have military applications

Answer 83

Export Administration Act

Question 84

Ensures the business focuses on core activities clarifies who in the organization has the authority to make decisions, determines accountability for actions and responsibility for outcomes, and addresses how expected performance will be evaulated

Answer 84

Governance

Question 85

A Security Event that compromises the confidentiality, integrity, or availability of an information asset

Answer 85

Incident

Question 86

Comes in two forms making sure that information is processed correctly and not modified by unauthorized persons and protecting information as it transits a network.

Answer 86

Integrity

Question 87

Accountable for ensuring the protection of all of the business information assets from intentional and unintentional loss, disclosure, alteration, destruction and unavailabilty

Answer 87

Information Security Officer

Question 88

Granting users only the accesses that are required to perform their job functions

Answer 88

Least Privilege

Question 89

Electronic hardware and software solutions implemented to control access to information and information networks

Answer 89

Logical (Technical) Controls

Question 90

Protects novel, useful, and non-obvious inventions

Answer 90

Patent

Question 91

Controls to protect the organizations people and physical environment, such as locks, fire management, gates, and guards

Answer 91

Physical controls

Question 92

Controls implemented to prevent a security incident

Answer 92

Preventive Controls

Question 93

Controls implemented to restore conditions to normal after a security incident

Answer 93

Recovery Controls

Question 94

How quickly you need to have that applications information available after downtime has occured

Answer 94

Recovery Time Objective (RTO)

Question 95

The point in time to which data must be restored in order to successfully resume processing

Answer 95

Recovery Point Objective (RPO)

Question 96

A Combination of the probability of an event and its consequences (ISO 27000)

Answer 96

Risk

Question 97

An expectation of loss expressed as the probability that a particular threat will exploit a particular vulnerability with a particular harmful result (RFC 2828)

Answer 97

Risk

Question 98

The practice of accepting certain risk, typically based on business direction that may also weigh the cost versus the benefit of dealing with the risk in another way

Answer 98

Risk Acceptance

Question 99

The practice of coming up with alternatives so that the risk in question is not realized

Answer 99

Risk Avoidance

Question 100

The practice of the elimination of or the significant decrease in the level of risk presented

Answer 100

Risk Mitigation

Question 101

The practice of passion on the risk in question to another entity, such as an insurance company

Answer 101

Risk Transfer

Question 102

A systematic process for identifying, analyzing, evaluation, remedying, and monitoring risk

Answer 102

Risk Management

Question 103

Defined as the difference between the original value and the remaining value of an asset after a single exploit

Answer 103

Single Loss Expectancy (SLE)

Question 104

An word, name, symbol, color, sound, product shape, device, or combination of these that is used to identify goods and distinguish them from those made or sold by others

Answer 104

Trademark

Question 105

Proprietary business or technical information, processes, designs, practices, etc. that are confidential and critical to the business

Answer 105

Trade Secret

Question 106

Determines the potential impact of disruptive events on the organizations business processes

Answer 106

Vulnerability Assessment

Question 107

Established to contribute to regional and international security and stability by promoting transparency and greater responsibility in transfers of conventional arms and dual-use goods and technologies, this preventing destabilizing accumulations

Answer 107

Wassenaar Arrangement

Question 108

Within the realm of IT Security, which of the following combinations best define risk:
A. Threat coupled with a breach
B. Threat coupled with a vulnerability
C. Vulnerability coupled with an attack
D. Threat coupled with a breach of security

Answer 108

B. Threat coupled with a vulnerability
(A vulnerability is a lack of countermeasure or a weakness in a countermeasure that is in place. A threat is any potential danger that is associated with the exploitation of a vulnerability)

Question 109

When determining the value of an intagible asset which is the BEST approach:
A. Determine the physical storage cost and multiply by the expected life of the company
B. With the assistance of finance of accounting professional determine how much profit the asset has returned
C. Review the depreciation of intangible asset over the past three years
D. Use the historical acquisition or development cost of the intangible asset.

Answer 109

B.-

Question 110

Qualitative risk assessment is ear marked by which of the following?
A. Ease of implementation and it can be completed by personnel with a limited understanding of the risk assessment process
B. Can be completed by personnel with a limited understanding of the risk assessment process and uses detailed metrics used for calculation of risk
C. Detailed metrics used for calculation of risk and ease of implementation
D. Can be completed by personnel with a limited understanding of the risk assessment process and detailed metrics used for the calculation of risk

Answer 110

A

Question 111

Single Loss expectancy (SLE) is calulated by using:
A. Asset Value and annualized rate of occurence (ARO)
B. Asset Value, local annual frequency estimate (LAFE) and standard annual frequency estimate (SAFE)
C. Asset value and exposure factor
D. Local annual frequency estimate and annualized reate of occurence

Answer 111

C

Question 112

Consideration for which type of risk assessment to perform includes all of the following:
A. Culture of the organization likelihood of exposure and budget
B. Budget, capabilities of resources and likelihood of exposure
C. Capabilities of resources, likelihood of exposure and budget
D. Culture of the organization, budget, capabilities and resources

Answer 112

D

Question 113

Security Awareness training includes:
A. Legislated security compliance objectives
B. Security roles and responsibilities for staff
C. The high-level outcome of vulnerability assessments
D. Specialized curriculum assignments, coursework and an accredited institution.

Answer 113

B

Question 114

What is the minimum and customary practice of responsible protection of assets that affects a community or societal norm?
A. Due diligence
B. Risk Mitigation
C. Asset Protection
D. Due Care

Answer 114

D

Question 115

Effective Security Management
A. Achieved security at the lowest cost
B. Reduces risk to an acceptable level
C. Prioritizes security for new products
D. installs patches in a timely manner

Answer 115

B

Question 116

Availability makes information accessible by protecting from:
A. Denial of services, fires, floods, hurricanes, and unauthorized transactions
B. Fire, floods, hurricanes, unauthorized transactions and unreadable backup tapes
C. unauthorized transactions fires, floods, hurricanes and unreadable backup tapes
D. Denial services, fires, floods, and hurricanes and unreadable backup tapes

Answer 116

D

Question 117

Which phrase best defines a business continuity/disaster recovery plan?
A. A set of plans for preventing a disaster
B. An approved set of preparations and sufficient procedures for responding to a disaster
C. A set of preparations and procedures for responding to a disaster without management approval
D. The adequate preparations and procedures for the continuation of all organization functions

Answer 117

D

Question 118

Which of the following steps should be performed first in a business impact analysis (BIA)?
A. Identify all business units within an organization
B. Evaluate the impact of disruptive events
C. Estimate the Recovery Time Objectives (RTO)
D. Evaluate the criticality of business functions

Answer 118

A

Question 119

Tactical security plans are BEST used to:
A. Establish high-level security policies
B. Enable enterprise/entity-wide security management
C.Reduce downtime
D. Deploy new security technology

Answer 119

D

Question 120

Who is accountable for implementing information security?
A. Everyone
B. Senior Management
C. Security Officer
D. Data Owners

Answer 120

C

Question 121

Security is likely to be most expensive when addressed in which phase?
A. Design
B. Rapid Prototyping
C. Testing
D. Implementation

Answer 121

D

Question 122

Information systems auditors help the organization?
A. Mitigate compliance issues
B. Establish and effective control environment
C. Identify control gaps
D. Address information technology for financial statements

Answer 122

C

Question 123

The Facilitated Risk Analysis Process (FRAP)
A. Makes a base assumption that a broad risk assessment is the most effective way to determine risk in a system, business segment, application or process
B. Makes a base assumption that a narrow risk assessment is the most efficient way to determine risk in a system, business segment, application or process
C. Makes a base assumption that a narrow risk assessment is the least efficient way to determine risk in a system, business segment, application or process
D. makes a base assumption that a broad risk assessment is the least efficient way to determine risk in a system, business segments, application or process

Answer 123

B

Question 124

Setting clear security roles has the following benefits:
A. Establishes personnel accountability, reduces cross-training requirements and reduced departmental turf battle
B. Enables continuous improvement, reduces cross-training requirements and reduced departmental turf battle
C. Established personal accountability, establishes continuous improvement and reduces turf battles
D. Reduced departmental turf battles, Reduces cross-training requirements and establishes personal accountability

Answer 124

C

Question 125

Well-written security program policies are BEST reviewed:
A. At least annually or at pre-determined organization changes
B. After major project implementations
C. When applications or operating systems are updated
D. When procedures need to be modified

Answer 125

A

Question 126

An organization will conduct a risk assessment to evaluate:
A. Threat to its assets, vulnerabilities not present in the environment, the likelihood that a threat will be realized by taking advantage of an exposure, the impact that the exposure being realized will have on the organization, the residual risk
B. Threat to its assets, vulnerabilities present int he environment, the likelihood that a threat will be realized by taking advantage of an exposure, the impact that the exposure being realized will have on another organization, the residual risk
C. Threat to its assets, vulnerabilities present int he environment, the likelihood that a threat will be realized by taking advantage of an exposure, the impact that the exposure being realized will have on organization, the residual risk
D.Threat to its assets, vulnerabilities present int he environment, the likelihood that a threat will be realized by taking advantage of an exposure, the impact that the exposure being realized will have on the organization, the total risk

Answer 126

C

Question 127

A security policy which will remain relevant and meaningful over time includes the following:
A. Directive words such as shall, must, or will, technical specifications and is short in length
B. Defined policy development process, short in length and contains directive words such as shall, must or will
C. Short in length, technical specifications and contains directive words such as shall, must or will
D. Directive words such as shall, must, or will, defined policy development process and is short in length.

Answer 127

D

Question 128

The ability of one person in the finance department to add vendors to the vendor database and subsequently pay the vendor violates which concept?
A. A well-formed transaction
B. Separation of duties
C. Least Privilege
D. Data sensitivity level

Answer 128

B

Question 129

Collusion is best mitigated by:
A.  Job rotation
B. Data Classification
C. Defining job sensitivity level
D. Least privilege

Answer 129

A

Question 130

Data Access decisions are best made by:
A. user managers
B. Data Owners
C. Senior Management
D. Application developer

Answer 130

B

Question 131

Which of the following statements BEST described the extent to which an organization should address business continuity or disaster recovery planning?
A. Continuity Planning is significant organizational issue and should include all parts or functions of the company
B. Continuity planning is a significant technology issue and the recovery of technology should be its primary focus
C. Continuity planning is required only where there is complexity in voice and data communications
D. Continuity planning is a significant management issue and should include the primary functions specified by managemen

Answer 131

A

Question 132

Business impact analysis is performed to BEST identify:
A. The impacts of a threat to the organization operations
B. The exposure to loss to the organization
C. The impacts of a risk on the organization
D. The cost efficient way to eliminate threats

Answer 132

B

Question 133

During the risk analysis phase of the planning, which of the following actions could BEST manage threats or mitigate the effects of an event?
A. Modifying the exercise scenario
B. Developing recovery procedures
C. Increasing reliance on key individuals
D. Implementing procedural controls

Answer 133

D

Question 134

The BEST reason to implement additional controls or safeguards is to:
A. deter or remove the risk
B. Identify and eliminate the threat
C. Reduce the impact of the threat
D. identify the risk and the threat

Answer 134

C

Question 135

Which of the following statements BEST describes organization impact analysis?
A. Risk analysis and organization impact analysis are two different terms describing the same project effort
B. A organization impact analysis calculates the probability of disruptions to the organizations
C. A organization impact analysis is critical to development of a business continuity plan
D. A organization impact analysis establishes the effect of disruptions on the organization

Answer 135

D

Question 136

The term "disaster recovery" refers to the recovery of:
A. organization operations
B. Technology environment
C. manufacturing environment
D. personnel environments

Answer 136

B

Question 137

Which if the following terms BEST described the effort to determine the consequences of disruption that could result from a disaster?\
A. Business Impact Analysis
B. Risk Analysis
C. Risk Assessment
D. Project problem definition

Answer 137

A

Question 138

the elements of risk are as follows:
A. natural Disasters and man-made disasters
B. Threats, assets and mitigating controls
C. Risk and business impact analysis
D. Business Impact analysis and mitigating controls

Answer 138

B

Question 139

Which if the following methods is not acceptable for exercising the business continuity plan?
A. Table-top exercise
B. Call exercise
C. Simulated exercise
D. Halting a production application or function

Answer 139

D

Question 140

Which of the following is the primary desired result of any well-planned business continuity exercise?
A. Identifies plan strengths and weaknesses
B. Satisfies management requirements
C. Complies with auditors requirements
D. Maintains shareholder confidence

Answer 140

A

Question 141

A business continuity plan is best updated and maintained:
A. Annually or when requested by auditors
B. Only when new versions of software are deployed
C. Only when new hardware is deployed
D. During the configuration and change management process

Answer 141

D

Question 142

Which of the following is MOST important for successful business continuity>
A. Senior leadership support
B. Strong technical support staff
C. Extensive wide are network
D. An integrated incident response team

Answer 142

A

Question 143

A Service's recovery point objective is zero. Which approach BEST ensures the requirement is met?
A. RAID 6 with a hot site alternative
B. RAID 0 with a warm site alternative
C. RAID 0 with a cold site alternative
D. RAID 6 with a reciprocal agreement

Answer 143

A

Question 144

The (ISC)2 code of ethics resolves conflicts between canons by:
A. there can never be conflicts between canons
B. Working through adjuducation
C. The order of the canons
D. Vetting all canon conflicts through the board of directives

Answer 144

C