Security Management Practices

Question 1

COSO framework, developed by the Committee of Sponsoring Organizations (COSO) of the Treadway Commission in 1985 was developed to deal with fraudulent financial activities and reporting. The COSO framework is made up of the following components except:

i. Control environment
ii. Risk assessment
iii. Control activities
iv. Information and communication
v. Accreditation

A. iii, iv
B. ii, v
C. i, ii
D. v

Answer 1

D. v

The COSO framework is made up of the following components:

Control Environment, Management’s philosophy and operating style, Company culture as it pertains to ethics and fraud, Risk assessment, Establishment of risk objectives, Ability to manage internal and external change, Control activities, Policies/proceedures/practices put in place to mitigate risk, Information and communication, Structure that ensures

Question 2

Which category best describes threat modeling?
A. Qualitative approach to risk analysis
B. Value-based approach to risk analysis
C. Quantitative approach to risk analysis
D. None of these

Answer 2

A. Qualtative approach to risk analysis

Since threat modeling is based on perceptions, opinions, judgments, and experiences rather than hard costs and facts-threat modeling is an example of a qualitative approach to risk analysis. Calculating hard costs and facts would be a quantitative or value-based approach.

Question 3

Which of the following is not a characteristic typically considered important when initially considering security countermeasures?

A. Modular in nature
B. Includes an audit function
C. Reasonably priced
D. Defaults to least privileged

Answer 3

C. Reasonably Priced

While a practical concern, the cost of the countermeasure should not be considered until the
characteristics of the countermeasure needed have
been prioritized.

Question 4

California 1386, Sarbanes-Oxley, and HIPAA are examples of what kinds of security
policy directives?
A. Regulatory
B. Administrative
C. Advisory
D. Informative

Answer 4

A. Regulatory

Directives and mandates typically coming from outside the company from the government, legal, or industry authorities are called regulatory policy objectives. Administrative is not one of the three types of policies. Advisory policies address requirements for certain types of behaviors or activities among the workforce. Informative policies address educational awareness.

Question 5

What is the relationship between policies and standards?

A. Policies detail who should do the work, and standards detail why.
B. Policies detail what should be done, and the standards detail how.
C. Policies describe the security vision, and standards detail what should be done.
D. Policies embody general principles, and standards describe who does the work.

Answer 5

B. Policies detail what should be done, and the standards detail how

Policies clearly articulate what is expected from the workforce, and the standards provide specific rules as to how to accomplish these objectives.

Question 6

Management establishes a policy that requires that all information technology professionals must have a college degree with a core emphasis on information
technology, and that all system administrators must have a security certification from an accredited program. By doing so, management has established what?

A. A standard
B. A guideline
C. A baseline
D. A regulation

Answer 6

C. A baseline

Management has set the baseline minimum
requirements for employees working in information
technology. Candidates can have higher qualifications,
but no one working in IT and in the area of server
administration can have lower than specified
qualifications.

Question 7

The operations manager has established the use of uniform checklists for all server maintenance. What has the operations manager done?

A. Established a baseline
B. Established a regulation
C. Established a standard
D. Established a policy

Answer 7

C. Established a Standard

The operations manager has established a
standard, which specifies how hardware will be
maintained. A regulation is a directive usually imposed
from an entity outside the company-such as a mandate
from government, a legal requirement, or an industry
requirement. Policies are usually established by senior
management, rather than line management. The
operations manager may be reacting to a policy
directive that requires uniformity and consistency in
server management. The introduction of the checklists
provided the tools necessary to implement this policy.
Use of the checklists will eventually yield a baseline for
server quality.

Question 8

The operations manager has established that prior to building a server, the employee must first check the inventory to make sure that all the spare parts needed are available, they must sign out those parts, and follow a checklist, finally signing and dating it when done. What has the operations manager created?

A. A baseline
B. A procedure
C. A standard
D. A policy

Answer 8

B. A proceedure

A procedure is the detailed, step-by-step actions needed to achieve a task. By contrast, a policy is usually set by upper management, and provides
general expectations or objectives that need to be
accomplished. Standards are compulsory rules that
implement policies. They provide uniformity of work
quality and worker behavior by describing how the
work will be accomplished. A baseline, on the other
hand, sets the minimum standard for behavior and
work quality.

Question 9

Which of the following is not a reason why data should be classified?

A. Classification forces valuation which can be used to determine risk.
B. Classification is required to determine appropriate access controls.
C. Classification can be used to optimize security budget.
D. Classification is required to develop secure systems.

Answer 9

D. Classification is required to develop secure systems

Data classification is not a requirement of secure systems. Systems can be made secure without any regard to the sensitivity of the data they will handle. However, system investment can be optimized if the data classification, representing its underlying value, is known. Systems handling low sensitivity information, for instance, can require fewer or less rigorous security controls than one that handles top secret information. Knowledge of data classification, therefore, can optimize budgets on development projects, putting money where it is most needed.

Question 10

Which of the following is not a factor in determining the sensitivity of data?

A. Who should be accessing the data
B. The value of the data
C. How the data will be used
D. The level of damage that could be caused should the data be exposed

Answer 10

C. How the data will be used

How the data will be used has no bearing on how sensitive it is. In other words, the data is sensitive not matter how it will be used-even if it is not used at all.

Question 11

What is the chief security responsibility of a data owner?

A. Determine how the data should be preserved
B. Determine the data classification
C. Determine the data value
D. Determine how the data will be used

Answer 11

B. Determine the data classification

Setting the classification for the data drives all other decisions about the data. Determining how the data will be used and who should use it is within the scope of the data owner, but they are functional, rather than security responsibilities. The owner may participate in determining the value of the data, but since its value is a measure relative to all other corporate data assets, it is not usually something the data owner is solely responsible for. Determining how the data will be preserved falls to the role of the data custodian.

Question 12

Mary has been tasked with preliminary planning for a security program. Which of the following would not be within her task scope?

A. Articulate security mission objectives
B. Determine roles and responsibilities
C. Establish the security audit function
D. Evaluate risks and benefits

Answer 12

C. Establish the security audit function

Establishing an audit function represents an activity that the security program might initiate. But first, the program must be established.

Question 13

Besides risk management and risk mitigation, what other factor is used to perform effective risk management?

A. Data valuation
B. Threat and vulnerability assessment
C. Uncertainty analysis
D. Probability factors

Answer 13

C. Uncertainty analysis

Uncertainty analysis lends a dose of reality to risk assessment, which is built mainly on speculation. The risk assessment should be tempered by applying a method that estimates management’s confidence level
in the risk analysis finding and the likelihood of the results remaining valid. Tracking the uncertainty factor
can generate historical data that can be used to refine
risk assessment techniques going forward. Data valuation, threat and vulnerability assessment and
their associated probability factors relate to the risk
analysis part of the risk management activity.

Question 14

Who does the security auditor report to?

A. Data owners
B. Data custodians
C. External audit organization
D. Senior management

Answer 14

D. Senior management

The security auditor is responsible for reporting to senior management about the effectiveness of security controls and their compliance with security policy objectives.

Question 15

What are three fundamental principles of security?

A. Accountability, confidentiality, and integrity
B. Confidentiality, integrity, and availability
C. Integrity, availability, and accessibility
D. Confidentiality, availability, and accessibility

Answer 15

B. Confidentiality, integrity, and availability

It is known as CIA or AIC, which stands for confidentiality, integrity, and availability. These three
concepts are also referred to as the CIA or AIC Triangle. The acronym has changed from CIA to AIC per (ISC)2 rewording.

Question 16

Mary finds that she has “write” privileges to data that she should be able to “read only”. What security principle is Mary able to violate?

A. Confidentiality
B. Accessibility
C. Integrity
D. Availability

Answer 16

C. Integrity

Mary is able to change the data, thereby undermining its intended integrity. Since she had read rights, she is not able to violate confidentiality or availability-the other two main principles. Accessibility is not a term used as one of the primary principles, but it is most closely related to the principle of availability.

Question 17

Business continuity and disaster recovery fall under which category of security control?

A. Preventive
B. Detective
C. Corrective
D. Compensating

Answer 17

D. Compensating

Business continuity and disaster recovery do not contribute directly to organizational security, but they can serve to compensate for security disasters by reducing the time it takes to respond to a security
incident that interrupts business productivity.

Question 18

What is the value of layering security responsibility?

A. Spreads accountability across the organization
B. Focuses specific responsibilities on the roles best able to accomplish them
C. Ensures separation of duties and encourages oversight
D. All of these choices

Answer 18

D. All of these choices

Security is an organizational problem. To optimally secure data and systems requires attention from roles that include senior management, data owners and custodians, security management and professional, auditors and users. Each role is accountable for a specific part in ensuring that corporate assets remain secure. Spreading responsibility across several roles ensures separation of duties and also ensures that in coordinating these efforts management will implement appropriate oversight to ensure no aspect of security will be overlooked.

Question 19

John does systems maintenance for his department and is also responsible for performing the operational security audit once a year. What security management
principle is John violating?

A. Operational integrity
B. Collusion
C. Separation of duties
D. Nondisclosure

Answer 19

C. Separation of duties

Since John was responsible for doing the work on the system, John should not also be the person to assess the quality of the work. This represents a violation of the principle of separation of duties. No worker should be allowed to check his own work. Collusion refers to the extra effort that a dishonest person would have to take to accomplish a malicious task because separation of duties was in place. Operational integrity is a term generally applied to operational processes and doesn’t apply to this case.Nondisclosure is a requirement not to share sensitive information with persons not authorized to receive it.

Question 20

Which of the following are the correct ISO/IEC series mapping that are used as blueprints for organizations to follow when developing their security program:

i. ISO/IEC 27001 - Code of practice providing good practice advice on ISMS (previously known as ISO 17799, itself based on British Standard BS 7799 Part 1
ii. ISO/IEC 27002 - Based on British Standard BS7799 Part 2, which is establishment, implementation, control, and improvement of the Information Security Management System
iii. ISO/IEC 27004 - Designed to assist the satisfactory implementation of information security based on a risk management approach
iv. ISO/IEC 27005 - A standard for information security management measurements
v. ISO/IEC 27006 - A guide to illustrate how to protect personal health information
vi. ISO/IEC 27799 - A guide to the certification/registration process

A. i, ii, iii
B. iv, v
C. All of them
D. None of them

Answer 20

C. All of them???

The correct mappings are listed below:

• ISO/IEC 27001 - Based on British Standard
BS7799 Part 2, which is establishment, implementation,
control, and improvement of the Information Security
Management System
• ISO/IEC 27002 - Code of practice providing good
practice advice on ISMS (previously known as ISO
17799, itself based on British Standard BS 7799 Part 1
• ISO/IEC 27004 - A standard for information
security management measurements
• ISO/IEC 27005 - Designed to assist the
satisfactory implementation of information security
based on a risk management approach
• ISO/IEC 27006 - A guide to the certification/registration process
• ISO/IEC 27799 - A guide to illustrate how to protect personal health information

Question 21

June is creating a security awareness program to inform the workforce of a change in
security policy. Which stage of the common development process of security policy is
June in?

A. Initial and evaluation
B. Development
C. Publication
D. Implementation

Answer 21

C. Publication

The common development process of creating a security policy includes initial and
evaluation, development, approval, publication,
implementation, and maintenance.

Question 22

A hacker has embedded a Trojan horse program on corporate machines that will
trigger on April Fools Day, overwhelming the network with spam messages. What
security principle will this circumstance violate?

O Confidentiality
O Integrity
O Availability
O All of these

Answer 22

c. Availability

When the network is overwhelmed, no one
will be able to access desired information. As data will
be unavailable, the principle being violated is
availability.

Question 23

Which role is accountable for information security?

O Information security professionals
O Senior management
O Security management
O Security auditors

Answer 23

B. Senior Management

Senior management is ultimately accountable
for all organizational risk. As security is an
organizational risk, senior management is ultimately
accountable for information security.

Question 24

Who has the primary responsibility of determining the classification level for
information?

O Functional manager
O Senior management
O Owner
O User

Answer 24

C. Owner

A company can have one specific data owner
or different data owners who have been delegated the
responsibility of protecting specific sets of data. One of
the responsibilities that goes into protecting this
information is properly classifying it.

Question 25

Which group causes the most risk of fraud and computer compromises? O Employees O Hackers O Attackers O Contractors

Answer 25

A. Employees It is commonly stated that internal threats provide 70 to 80 percent of the overall threat to a company. This is because employees already have privileged access to a wide range of company assets. The outsider who wants to cause damage must obtain this level of access before she can carry out the type of damage that internal personnel can carry out. A lot of the damages that are caused by internal employees are brought about by mistakes and system misconfigurations.

Question 26

If different user groups with different security access levels need to access the same information, which of the following actions should management take? q Decrease the security level on the information to ensure accessibility and usability of the information q Require specific approval each time an individual needs to access the information O Increase the security controls on the information O Increase the classification label on the information

Answer 26

C. Increase the security controls on the information If data is going to be available to a wide range of people, more security should be implemented to ensure that only the necessary people access the data and the operations they carry out are controlled. The security implemented can come in the form of authentication and authorization technologies, encryption, and specific access control mechanisms.

Question 27

What does management need to consider the most when classifying data? O Type of employees, contractors, and customers who will be accessing the data O Confidentiality, integrity, and availability O First assess the risk level and implement the correct countermeasures O The access controls that will be protecting the data

Answer 27

B. Confidentiality, integrity, and availability To properly classify data, the data owner needs to evaluate the confidentiality, integrity, and availability requirements of the data. Once this is done, this will dictate what employees, contractors, and users can access the data. This assessment will also help determine the controls that should be put into place.

Question 28

Who is ultimately responsible for making sure data is classified and protected? O Data owners O Users O Administrators O Management

Answer 28

D. Management The key to this question is the use of the word "ultimately." Management is ultimately responsible for everything that takes place within a company. They need to make sure data and resources are being properly protected on an ongoing basis. They can delegate tasks to others, but they are ultimately responsible.

Question 29

What is a procedure? O Rules on how software and hardware must be used within the environment O Step-by-step directions on how to accomplish a task q Guidelines on how to approach security situations that are not covered by standards O Compulsory actions

Answer 29

B. Step-by-step instructions on how to accomplish a task Standards are rules that must be followed, thus they are compulsory. Guidelines are recommendations. Procedures are step-by-step instructions.

Question 30

Which factor is the most important item when it comes to ensuring that security is successful in an organization? O Senior management support O Effective controls and implementation methods O Updated and relevant security policies and procedures O Security awareness by all employees

Answer 30

A. Senior management support Without senior management's support a security program will not receive the necessary attention, funds, resources, and enforcement capabilities.

Question 31

When is it acceptable to not take action on an identified risk? O Never; good security addresses and reduces all risks O When political issues prevent this type of risk from being addressed O When the necessary countermeasure is complex q When the cost of the countermeasure outweighs the value of the asset and potential loss

Answer 31

D. When the cost of the countermeasure outweighs the value of the asset and potential loss Companies may decide to live with specific risks they are faced with because it would cost more to try and protect themselves than they have a potential of losing if the threat became real. Countermeasures are usually complex to a degree and there are almost always political issues surrounding different risks, but these are not reasons to not implement a countermeasure.

Question 32

What are security policies? O Step-by-step directions on how to accomplish security tasks O General guidelines to use to accomplish a specific security level O Broad, high-level statement from the management O Detailed documents explaining how security incidents should be handled

Answer 32

C. Broad, High-level statement from management A security policy captures and dictates senior management's perspectives and directives on what role security should play within the company. They are usually vague and use broad terms so that they can cover a wide range of items.

Question 33

Which is the most valuable technique when determining if a specific security control should be implemented? O Risk analysis O Cost/benefits analysis O ALE results O Identifying the vulnerabilities and threats causing the risk

Answer 33

B. Cost/benefit analysis A risk analysis is performed to identify risks and come up with suggested countermeasures. The ALE tells the company how much it could lose if a specific threat became real. The ALE value will go into the cost/benefit analysis, but the ALE does not address the cost of the countermeasure and the benefit of a countermeasure.

Question 34

Which best describes the purpose of the ALE calculation? O Quantifies the security level of the environment O Estimates the loss possible for a countermeasure O Quantifies the cost/benefit result O Estimates the loss potential of a threat in a year span

Answer 34

D. Estimates the loss potential of a threat in a year span The ALE calculation estimates the potential loss that can affect one asset from a specific threat within a one-year time span. This value is used to figure out the amount of money that should be earmarked to protect this asset from this threat.

Question 35

Tactical planning is? O Mid-term O Long-term O Day-to-day O Six months

Answer 35

A. Mid-term There are three types of goals that make up the planning horizon: operational, tactical, and strategic. The tactical goals are mid-term goals that must be accomplished before the overall strategic goal is accomplished.

Question 36

What is the definition of a security exposure? O An instance of being exposed to losses from a threat O Any potential danger to information or systems O An information security absence or weakness O A loss potential of a threat

Answer 36

A. An instance of being exposed to losses from a threat An exposure means that a vulnerability has been exploited by a threat agent. Examples are a hacker accesses a database through an open port on the firewall, an employee shares confidential information via e-mail, or a virus infects a computer.

Question 37

An effective security program requires a balanced application of: O Technical and non-technical methods O Countermeasures and safeguards O Physical security and technical controls O Procedural security and encryption

Answer 37

A Technical and non-technical methods. Security is not defined by a firewall, an access control mechanism, a security policy, company procedures, employee conduct, or authentication technologies. It is defined by all of these and how they integrate together within an environment. Security is not purely technical and it is not purely procedural, but a mix of the two.

Question 38

A security function defines the expected behavior from a security mechanism, and assurance defines: O The controls the security mechanism will enforce O The data classification after the security mechanism has been implemented O The confidence of the security the mechanism is providing O Cost/benefit relationship

Answer 38

C. The confidence of the security the mechanism is providing The functionality describes how a mechanism will work and behave; this may have nothing to do with the actual protection it provides. Assurance is the level of confidence in the protection level a mechanism will provide. When systems and mechanisms are evaluated, their functionality and assurance should be examined and tested individually.

Question 39

Which statement is true when looking at security objectives in the private business sector versus the military sector? O Only the military has true security. q Businesses usually care more about data integrity and availability, whereas the military is more concerned with confidentiality. q The military requires higher levels of security because the risks are so much higher. q The business sector usually cares most about data availability and confidentiality, whereas the military is most concerned about integrity.

Answer 39

B. Businesses usually care more about data integrity and availability, whereas the military is more concerned with confidentiality. Businesses will see their threats and risks as being more important that another organization's threats and risks. The military has a rich history of having to keep their secrets secret. This is usually not as important in the commercial sector relative to the military.

Question 40

Which of the following NIST document is used specifically for risk management? O SP 800-53 O SP 800-63 O SP 800-30 O SP 800-90

Answer 40

C. SP 800-30 NIST Special Publication 800-30 is the Risk Management Guide for Information Technology Systems.

Question 41

How do you calculate residual risk? O Threat x risk x asset value O (Threat x asset value x vulnerability) x risks O SLE x frequency = ALE O (Threats x vulnerability x asset value) x controls gap

Answer 41

D. (Threats x vulnerability x asset value) x controls gap The equation is more conceptual than it is practical. It is hard to assign a number to a vulnerability and a threat individually. What this equation is saying is look at the potential loss to a specific asset and look at the controls gap, which means what the specific countermeasure cannot protect against. What is left is the residual risk. Residual risk is what is left over after a countermeasure is implemented.

Question 42

Which of the following is not a purpose of doing risk analysis? ``` O Delegate responsibility O Quantify impact of potential threats O Identify risks q Define the balance between the impact of a risk and the cost of the necessary countermeasure ```

Answer 42

A. Delegate responsibility The other three answers are the main reasons to carry out a risk analysis. An analysis is not carried out to delegate responsibilities. Management will take on this responsibility once the results of the analysis are reported to them and they understand what actually needs to be carried out.

Question 43

How does a risk analysis show management how much money to spend per security measure? q It shows management how much could be lost if the security measure is not implemented. q It calculates the frequency of the risk multiplied by the cost/benefit ratio of the ALE. q It shows management how much money could be saved if the security program was implemented. O It provides the qualitative severity of the security measure.

Answer 43

A. It shows management how much could be lost if the security measure is not implemented. The crux of carrying out a risk analysis is to calculate risk and estimate how much specific threats could cost the company. From these numbers and information, management can make a decision on the best security mechanisms and how much should be spent on them.

Question 44

Which of the following is not a management role in the process of implementing and maintaining security? O Support O Perform risk analysis O Define purpose and scope O Delegate responsibility

Answer 44

B. Perform risk analysis The number one ingredient management needs to provide when it comes to security is support. They need to define the role of security, the scope of security, and the different assessments that will be carried out, and they will delegate who does what pertaining to security. They will not carry out the analysis, but are responsible for making sure one is done and that they act on the results it provides.

Question 45

Why should the team that is going to perform and review the risk analysis information be made up of people in different departments? O To make sure the process is fair and that no one is left out. q They shouldn't. It should be a small group brought in from outside the organization because otherwise the analysis is biased and unusable. O Because people in different departments understand the risks of their department and it ensures that the data going into the analysis is as close to reality as possible. q Because the people in the different departments are the ones causing the risks, so they should be the ones held accountable.

Answer 45

C. Because people in different departments understand the risks of their department and it ensures that the data going into the analysis is as close to reality as possible. An analysis is only as good as the data that goes into it. Data pertaining to risks the company faces should be extracted from the people who understand the business functions and environment of the company the best. Each department understands their own threats and resources, and may have possible solutions to specific risks that affect their part of the company.

Question 46

Which best describes quantitative risk analysis? O Scenario-based analysis to research different security threats q A method used to apply severity levels to potential loss, probability of loss, and risks O A method that assigns monetary values to components in the risk assessment O A method that is based on gut feelings and opinions

Answer 46

C. A method that assigns monetary values to components in the risk assessment A quantitative risk analysis assigns monetary values and percentages to the different components within the assessment. A qualitative analysis uses opinions of individuals and a rating system to gauge the severity level of different threats and the benefits of specific countermeasures.

Question 47

Why is a truly quantitative risk analysis not possible to achieve? O It is possible, which is why it is used. O It assigns severity levels. Thus, it is hard to translate into monetary values. O It is dealing with purely quantitative elements. O Quantitative measures must be applied to qualitative elements.

Answer 47

D. Quantitative measures must be applied to qualitative elements. During a risk analysis, the team is trying to properly predict the future and all the risks that future may bring. It is a somewhat subjective exercise and educated guessing must take place. It is very hard to properly predict that a flood will take place once in ten years and cost a company up to $40,000 in damages, but this is what a quantitative analysis tries to accomplish.

Question 48

If there are automated tools for risk analysis, why does it take so much time to complete? O A lot of data has to be gathered to be inputted into the automated tool. O Management has to approve it and then a team has to be built. O Risk analysis cannot be automated because of the nature of the assessment. O Many people have to agree on the same data.

Answer 48

A. A lot of data has to be gathered to be inputted into the automated tool. An analysis usually takes a long time to complete because of all the data that must be properly gathered. There are usually a lot of different sources for this type of data and properly extracting it is extremely time consuming. In most situations, it involves setting up meetings with specific personnel and going through a question and answer process.

Question 49

Which of the following is a legal term that pertains to a company or individual taking reasonable actions and is used to determine liability? O Standards O Due process O Due care O Downstream liabilities

Answer 49

C. Due Care A company's, or individual's, actions can be judged by the "prudent man rule," which looks at how a prudent, or reasonable, man would react in similar situations. Due care means to take these necessary actions to protect the company, its assets, customers, and employees. Computer security has many aspects pertaining to practicing due care, and if management does not ensure that these things are in place, they can be found negligent.

Question 50

Which of the following is not an example of due care? O Providing security awareness training to all employees O Requiring employees to sign nondisclosure agreements O Implementing mandatory vacations for all employees O Allowing a key job function to be completed by one highly qualified employee

Answer 50

D. Allowing a key job function to be completed by one highly qualified employee The separation of duties ensures that no one individual carries out critical tasks alone, thus helping to limit fraud opportunities. A company can be seen as negligent if they allow one individual to carry out a critical task that can negatively affect the company as a whole.

Question 51

Risk should be handled in any of the following ways except: O Reduce risk O Accept risk O Transfer risk O Reject risk

Answer 51

D. Reject Risk Rejecting risk and threat potential is a violation of the due care responsibility that each company's management team is held liable for. Rejecting risk means to ignore that it exists and in turn not taking any steps to mitigate the risk.

Question 52

The Control Objectives for Information and related Technology (CobiT) is a framework and set of best practices. Which of the following provides an incorrect characteristic of CobiT? q Developed by the Information Systems Audit and Control Association (ISACA) and the IT Governance Institute (ITGI). q It defines goals for the controls that should be used to properly manage IT and to ensure that IT maps to business needs. q A majority of regulation compliance and audits are built on the CobiT framework. O CobiT is broken down into five domains

Answer 52

D. CobiT is broken down into five domains The Control Objectives for Information and related Technology (CobiT) is a framework and set of best practices developed by the Information Systems Audit and Control Association (ISACA) and the IT Governance Institute (ITGI). It defines goals for the controls that should be used to properly manage IT and to ensure that IT maps to business needs. CobiT is broken down into four domains.

Question 53

A data storage company's number one security goal is to ensure that their data is protected and integrity is achieved. Of the following controls, which best achieves the goal of ensuring integrity? O Access controls O Technical controls O Physical controls O None of these

Answer 53

A. Access controls Access controls are used to permit/deny users from accessing data, which helps to protect its integrity. There are physical and technical controls that can be used to provide access control, but there are also administrative access controls that can help protect the integrity of the data. Access controls is the more general answer and encompasses technical and physical controls.

Question 54

A new security policy has recently been put into place to achieve many company objectives. Which of the following objectives could not be achieved by a security policy? O Ensuring that all data has a high level of integrity O Reducing levels of fraudulent activity by employees O Ensuring higher levels of data accuracy O Ensuring higher levels of security awareness by employees

Answer 54

C. Ensuring higher levels of data accuracy Security policies can help companies achieve many goals, but ensuring that data is entered correctly is no one of them. It can help improve controls that are put into place, which could indirectly improve accuracy levels, but the policy itself would not be useful in this area. The other objectives can all be achieved directly by the security policy.

Question 55

Your company's security director calls a meeting to stress the importance of data integrity within the company. There is a concern because of several violations that have been noticed lately. Of the examples below, which would not be considered an integrity violation? O An unauthorized analyst performing a cost analysis on classified information O An unauthorized data processor making changes to a protected database q An operations technician making a change to a mainframe configuration setting by accident q A senior IT analyst making deliberate and unauthorized changes to user accounts

Answer 55

A. An unauthorized analyst performing a cost analysis on classified information An analyst performing an unauthorized task is a problem, but it jeopardizes the confidentiality of the data, not the integrity of the data. As long as the employee is not making changes to the data, the integrity remains intact. All of the other examples represent instances where data has been altered.

Question 56

John covertly learns the user ID and password of a higher-ranked technician and uses the credentials to access certain areas of a network. What term describes what John has done? O IP spoofing O Backdooring O Masquerading O Data diddling

Answer 56

C. Masquerading Masquerading is a term that describes a person who pretends to be an authorized user to circumvent established controls.