by 0x4b4d


keywords:
Bookmark and Share



Front Back
1. 
 You're the chief security contact for MTS. One of your primary tasks is to document everything related to security and create a manual that can be used to manage the company in your absence. Which documents should be referenced in your manual as the ones that identify the methods used to accomplish a given task?
A Policies
B Standards
C Guidelines
D BIA
 
 
1.
 C. Guidelines help clarify processes to maintain standards. Guidelines tend to be less formal than policies or standards.
 
2. 
 Consider the following scenario: The asset value of your company's primary servers is $2 million and they are housed in a single office building in Anderson, Indiana. You have field offices scattered throughout the United States, so the servers in the main office account for approximately half the business. Tornados in this part of the country are not uncommon, and it is estimated one will level the building every 60 years.
Which of the following is the SLE for this scenario?
A $2 million
B $1 million
C $500,000
D $33,333.33
E $16,666.67
 
 
2.
 B. SLE (single loss expectancy) is equal to asset value (AV) times exposure factor (EF). In this case, asset value is $2 million and exposure factor is 1/2.
 
3.  
 Consider the following scenario: The asset value of your company's primary servers is $2 million and they are housed in a single office building in Anderson, Indiana. You have field offices scattered throughout the United States, so the servers in the main office account for approximately half the business. Tornados in this part of the country are not uncommon, and it is estimated one will level the building every 60 years.
Which of the following is the ALE for this scenario?
A $2 million
B $1 million
C $500,000
D $33,333.33
E $16,666.67
 
 
3.
 E. ALE (annual loss expectancy) is equal to SLE times the annualized rate of occurrence. In this case, SLE is $1 million and the ARO is 1/60.
 
4.  
 
Consider the following scenario: The asset value of your company's primary servers is $2 million and they are housed in a single office building in Anderson, Indiana. You have field offices scattered throughout the United States, so the servers in the main office account for approximately half the business. Tornados in this part of the country are not uncommon, and it is estimated one will level the building every 60 years.
 
Which of the following is the ARO for this scenario?
A 0.0167
B 1
C 5
D 16.7
E 60
 
 
4.
 A. ARO (annualized rate of occurrence) is the frequency (in number of years) the event can be expected to happen. In this case, ARO is 1/60 or 0.0167.
 
5. 
 Which of the following strategies involves identifying a risk and making the decision to no longer engage in the action?
A Risk acceptance
B Risk avoidance
C Risk deterrence
D Risk mitigation
E Risk transference
 
 
5.
 B. Risk avoidance involves identifying a risk and making the decision to no longer engage in the actions associated with that risk.
 
6. 
 Which of the following policy statements may include an escalation contact, in the event that the person dealing with a situation needs to know whom to contact?
A Scope
B Exception
C Overview
D Accountability
 
 
6.
 B. The exception policy statement may include an escalation contact, in the event that the person dealing with a situation needs to know whom to contact.
 
7. 
 Which of the following policies are designed to reduce the risk of fraud and prevent other losses in an organization?
A Separation of duties
B Acceptable use
C Least privilege
D Physical access control
 
 
7.
 A. The separation of duties policies are designed to reduce the risk of fraud and prevent other losses in an organization.
 
8. 
 What is the term used for events that mistakenly were flagged and aren't truly events to be concerned with?
A Fool's gold
B Non-incidents
C Error flags
D False positives
 
 
8.
 D. False positives are events that mistakenly were flagged and aren't truly events to be concerned with.
 
9. 
 Which of the following is the structured approach that is followed to secure the company's assets?
A Asset management
B Incident management
C Change management
D Skill management
 
 
9.
 C. Change management is the structured approach that is followed to secure the company's assets.
 
10. 
 Which of the following strategies involves sharing some of the burden of the risk with someone else such as an insurance company?
A Risk acceptance
B Risk avoidance
C Risk deterrence
D Risk mitigation
E Risk transference
 
 
10.
 E. Risk transference involves sharing some of the burden of the risk with someone else such as an insurance company.
 
11. 
 The risk-assessment component, in conjunction with the ________, provides the organization with an accurate picture of the situation facing it.
A RAC
B ALE
C BIA
D RMG
 
 
11.
 C. The risk-assessment component, in conjunction with the BIA (Business Impact Analysis), provides the organization with an accurate picture of the situation facing it.
 
12. 
 Which of the following policy statements should address who is responsible for ensuring that it is enforced?
A Scope
B Exception
C Overview
D Accountability
 
 
12.
 D. The accountability policy statement should address who is responsible for ensuring that it is enforced.
 
13. 
 Which of the following strategies is accomplished anytime you take steps to reduce the risk?
A Risk acceptance
B Risk avoidance
C Risk deterrence
D Risk mitigation
E Risk transference
 
 
13.
 D. Risk mitigation is accomplished anytime you take steps to reduce the risk.
 
14. 
 If you calculate SLE to be $4,000 and that there will be 10 occurrences a year (ARO), then the ALE is:
A $400
B $4,000
C $40,000
D $400,000
 
 
14.
 C. If you calculate SLE to be $4,000 and that there will be 10 occurrences a year (ARO), then the ALE is $40,000 ($4,000 × 10).
 
15. 
 Which of the following policies describes how the employees in an organization can use company systems and resources, both software and hardware?
A Separation of duties
B Acceptable use
C Least privilege
D Physical access control
 
 
15.
 B. The acceptable use policies describe how the employees in an organization can use company systems and resources, both software and hardware.
 
16. 
 Separation of duties helps prevent an individual from embezzling money from a company. To successfully embezzle funds, an individual would need to recruit others to commit an act of __________.
A Misappropriation
B Misuse
C Collusion
D Fraud
 
 
16.
 C. Collusion is an agreement between two or more parties established for the purpose of committing deception or fraud. Collusion, when part of a crime, is also a criminal act in and of itself.
 
17. 
 Which of the following strategies involves understanding something about the enemy and letting them know the harm that can come their way if they cause harm to you?
A Risk acceptance
B Risk avoidance
C Risk deterrence
D Risk mitigation
E Risk transference
 
 
17.
 C. Risk deterrence involves understanding something about the enemy and letting them know the harm that can come their way if they cause harm to you.
 
18. 
 If you calculate SLE to be $25,000 and that there will be one occurrence every four years (ARO), then what is the ALE?
A $6,250
B $12,500
C $25,000
D $100,000
 
 
18.
 A. If you calculate SLE to be $25,000 and that there will be one occurrence every four years (ARO), then the ALE is $6,250 ($25,000 × .25).
 
19. 
 Which of the following policies should be used when assigning permissions, giving users only the permissions they need to do their work and no more?
A Separation of duties
B Acceptable use
C Least privilege
D Physical access control
 
 
19.
 C. The principle of least privilege should be used when assigning permissions. Give users only the permissions they need to do their work and no more.
 
20. 
 Which of the following strategies necessitates an identified risk that those involved understand the potential cost/damage and agree to accept?
A Risk acceptance
B Risk avoidance
C Risk deterrence
D Risk mitigation
E Risk transference
 
 
20.
 A. Risk acceptance necessitates an identified risk that those involved understand the potential cost/damage and agree to accept.
Risk analysis
An evaluation of each risk that can be identified. Each risk should be outlined, described, and evaluated on the likelihood of it occurring.
Annualized Rate of Occurence (ARO)
A calculation of how often a threat will occur. For example, a threat that occurs once every five years has an annualized rate of occurrence of 1/5, or 0.2.
Single Loss Expectancy (SLE)
The cost of a single loss when it occurs. This loss can be a critical failure, or it can be the result of an attack.
Threat
Any perceivable risk.
Policies
Rules or standards governing usage. These are typically high level in nature.
Collusion
An agreement between individuals to commit fraud or deceit.
Best Practices
A set of rules governing basic operations.
Security Policies
Rules set in place by a company to ensure the security of a network. These may include how often a password must be changed or how many characters a password should be.
False Positives
A flagged event that isn't really an event and has been falsely triggered.
Categories of control types
Technical, Management, Operational
Approaches to Risk
Avoidance, Transference, Mitigation, Deterrence, Acceptance
Quantitative Risk Calculation
SLE x ARO = ALE
SLE = AV x EF

SLE = Single Loss Expectancy
ARO = Annualized Rate of Occurence
ALE = Annual Loss Expectancy
AV = Asset Value
EF = Exposure Factor
Standards
Requirements for a specific issue
Guidelines
Advice on issues
Cloud computing implementations
Platform as a Service
Software as a Service
Infrastructure as a Service
x of y cards