Security Domain

Question 1

What are the two primary purposes of the Health Insurance Portability and Accountability Act (HIPPA)?

Answer 1

Security and Privacy

Question 2

What exists to alleviate the risk of certain threats by providing monetary compensation in the event those threats occur?

Answer 2

Insurance

Question 3

What does the acronym SLE denote?

Answer 3

Single Loss Expectancy

Question 4

Which element of the CIA triad ensures that transferred data is not altered in transmission?

Answer 4

Integrity

Question 5

Of which control is enforcing mandatory vacation an example?

Answer 5

Administrative Control

Question 6

What the purpose of a preventative control?

Answer 6

To prevent security incidents before they occur

Question 7

Which type of control is required for detecting occurrences of risks?

Answer 7

Detective Control

Question 8

Which organization has developed an ethics-related statement concerning the use of the Internet?

Answer 8

Internet Architecture Board

Question 9

What is the term for the process of identifying information assets and their associated threats, vulnerabilities, and potential risks?

Answer 9

Risk Analysis

Question 10

Which formula should you use to determine the Single Loss Expectancy (SLE) of an asset

Answer 10

Asset Value (AV) * Exposure Factor (EF)

Question 11

Who should oversee the development of the information security policy?

Answer 11

An organization’s business operations manager

Question 12

Which term refers to the processes and procedures that are followed to minimize the problems affecting the information systems?

Answer 12

Problem Management

Question 13

What is meant by the term enrollment time in a biometric system? pg 571

Answer 13

the time it takes to register the system by providing samples of a biometric characteristic (biometric factor)

Question 14

What is Third-Party governance?

Answer 14

It is a system of oversight that may be mandated by law, regulation, industry standard, contractual obligation, or licensing requirements.

Question 15

What does Third-party governance focus on?

Answer 15

verifying compliance with stated security objectives, requirements, and regulations, and contractual obligations.

Question 16

The possibility that something could happen to damage, destroy, or disclose data or other resources is known as

Answer 16

Risk

Question 17

What is the primary goal of risk management?

Answer 17

reduce risk to an acceptable level

Question 18

The process by which the goals of risk management are achieved is known as

Answer 18

Risk analysis

Question 19

Prioritizing and comparing risk to losses require ___

Answer 19

Asset valuation

Question 20

What is the risk formula?

Answer 20

= threat * vulnerability

Question 21

What is Qualitative Risk Analysis?

Answer 21

is based on scenarios than calculations. Exact dollar figures are not assigned to possible losses; instead threats are ranked on a scale to evaluate their risks, costs, and effects. Such an analysis assists those responsible in creating proper risk management policies.

Question 22

Quantitative Risk Analysis

Answer 22

Results in concrete probability percentages.
The end result is a report that has dollar figures for levels of risk, potential loss, cost of countermeasures, and value of safeguards.

Question 23

What are the six steps of the risk management framework? (Figure 2.7 page 80)

Answer 23

Categorize, Select, Implement, Assess, Authorize, and Monitor

Question 24

What is the prerequisite to security training?

Answer 24

Awareness

Question 25

What is the annualized loss expectancy (ALE)

Answer 25

ALE is an element of quantitative risk analysis that represents the possible yearly cost of all instances of a specific realized threat against a specific asset.

Question 26

What is exposure factor?

Answer 26

An element of quantitative risk analysis that represents the cost associated with the single realized risk against a specific asset.

Question 27

What are the elements of risk analysis?

Answer 27

1. Analyzing an environment for risks; 2. Evaluating each threat event as to its likelihood of occurring and the damage it would cause, 3. Assessing the cost of various countermeasures for each risk, and 4. Creating a accost/benefit report for safeguards to present to upper management.

Question 28

How is the value of a safeguard to a company calculated?

Answer 28

ALE before safeguard - ALE after implementing the safeguard - annual cost of safeguard [(ALE1-ALE2)-ACS]

Question 29

When evaluating safeguards, what is the rule that should be followed in most cases?

Answer 29

The annual costs of safeguards should not exceed the expected annual cost of asset loss.

Question 30

ALE is calculated using the following formula:

Answer 30

ALE= SLE*ARO

Question 31

What is total risk?

Answer 31

It is the amount of risk an organization would face if no safeguards were implemented.

Question 32

What is the formula for total risk?

Answer 32

threats * vulnerabilities * asset value = total risk

Question 33

What is residual risk?

Answer 33

The risk that management has chosen to accept rather than mitigate.

Question 34

What are control gaps?

Answer 34

The difference between total risk and residual risk, which is the amount of risk that is reduced by implementing safeguards.

Question 35

Residual risk calculation formula:

Answer 35

total risk- control gaps = residual risks.

Question 36

What are 7-types of controls?

Answer 36

``` Compensating Corrective Detective Deterrent Directive Preventive Recovery ```

Question 37

Calculating Annualized Loss Expectancy with a Safeguard requires a new

Answer 37

EF and ARO specific to the safeguard

Question 38

Formula for Safeguard Cost/Benefit

Answer 38

ALE before safeguard - ALE after implementing the safeguard - annual cost of safeguard (ACS) = value of the safeguard to the company

Question 39

What are the five elements of Authentication, Authorization, and Accounting (AAA) services?

Answer 39

1. Identification; 2. Authentication; 3. Authorization; 4. Auditing; and 5. Accounting