keywords:
Bookmark and Share



Front Back
1. Who has the primary responsibility of determining the classification level for information? A. The functional manager B. Senior management C. The owner D. The user
1. C. A company can have one specific data owner or different data owners who have been delegated the responsibility of protecting specific sets of data. One of the responsibilities that goes into protecting this information is properly classifying it.
2. Which group causes the most risk of fraud and computer compromises? A. Employees B. Hackers C. Attackers D. Contractors
2. A. It is commonly stated that internal threats comprise 70–80 percent of the overall threat to a company. This is because employees already have privileged access to a wide range of company assets. The outsider who wants to cause damage must obtain this level of access before she can carry out the type of damage internal personnel could dish out. A lot of the damages caused by internal employees are brought about by mistakes and system misconfigurations.
3. If different user groups with different security access levels need to access the same information, which of the following actions should management take? A. Decrease the security level on the information to ensure accessibility and usability of the information. B. Require specific written approval each time an individual needs to access the information. C. Increase the security controls on the information. D. Decrease the classification label on the information.
3. C. If data is going to be available to a wide range of people, more granular security should be implemented to ensure that only the necessary people access the data and that the operations they carry out are controlled. The security implemented can come in the form of authentication and authorization technologies, encryption, and specific access control mechanisms.
4. What should management consider the most when classifying data? A. The type of employees, contractors, and customers who will be accessing the data. B. Availability, integrity, and confidentiality. C. Assessing the risk level and disabling countermeasures. D. The access controls that will be protecting the data.
4. B. The best answer to this question is B, because to properly classify data, the data owner must evaluate the availability, integrity, and confidentiality requirements of the data. Once this evaluation is done, it will dictate which employees, contractors, and users can access the data, which is expressed in answer A. This assessment will also help determine the controls that should be put into place.
5. Who is ultimately responsible for making sure data is classified and protected? A. Data owners B. Users C. Administrators D. Management
5. D. The key to this question is the use of the word “ultimately.” Though management can delegate tasks to others, it is ultimately responsible for everything that takes place within a company. Therefore, it must continually ensure that data and resources are being properly protected.
6. What is a procedure? A. Rules on how software and hardware must be used within the environment B. Step-by-step directions on how to accomplish a task C. Guidelines on how to approach security situations not covered by standards D. Compulsory actions
6. B. Standards are rules that must be followed; thus, they are compulsory. Guidelines are recommendations, while procedures are step-by-step instructions.
7. Which factor is the most important item when it comes to ensuring security is successful in an organization? A. Senior management support B. Effective controls and implementation methods C. Updated and relevant security policies and procedures D. Security awareness by all employees
7. A. Without senior management’s support, a security program will not receive the necessary attention, funds, resources, and enforcement capabilities.
9. What are security policies? A. Step-by-step directions on how to accomplish security tasks B. General guidelines used to accomplish a specific security level C. Broad, high-level statements from the management D. Detailed documents explaining how security incidents should be handled
9. C. A security policy captures senior management’s perspectives and directives on what role security should play within the company. Security policies are usually general and use broad terms so they can cover a wide range of items.
10. Which is the most valuable technique when determining if a specific security control should be implemented? A. Risk analysis B. Cost/benefit analysis C. ALE results D. Identifying the vulnerabilities and threats causing the risk
10. B. Although the other answers may seem correct, B is the best answer here. This is because a risk analysis is performed to identify risks and come up with suggested countermeasures. The ALE tells the company how much it could lose if a specific threat became real. The ALE value will go into the cost/benefit analysis, but the ALE does not address the cost of the countermeasure and the benefit of a countermeasure. All the data captured in answers A, C, and D are inserted into a cost/benefit analysis.
11. Which best describes the purpose of the ALE calculation? A. Quantifies the security level of the environment B. Estimates the loss possible for a countermeasure C. Quantifies the cost/benefit result D. Estimates the loss potential of a threat in a span of a year
11. D. The ALE calculation estimates the potential loss that can affect one asset from a specific threat within a one-year time span. This value is used to figure out the amount of money that should be earmarked to protect this asset from this threat.
12. Tactical planning is: A. Midterm B. Long term C. Day-to-day D. Six months
12. A. Three types of goals make up the planning horizon: operational, tactical, and strategic. Tactical goals are midterm goals that must be accomplished before the overall strategic goal is accomplished.
13. What is the definition of a security exposure? A. An instance of being exposed to losses from a threat B. Any potential danger to information or systems C. An information security absence or weakness D. A loss potential of a threat
13. A. An exposure is an instance of being exposed to losses from a threat agent. A vulnerability can cause an organization to be exposed to possible damages. For example, if password management is lax and password rules are not enforced, the company can be exposed to the possibility of having users’ passwords captured and used in an unauthorized manner.
14. An effective security program requires a balanced application of: A. Technical and nontechnical methods B. Countermeasures and safeguards C. Physical security and technical controls D. Procedural security and encryption
14. A. Security is not defined by a firewall, an access control mechanism, a security policy, company procedures, employee conduct, or authentication technologies. It is defined by all of these and how they integrate together within an environment. Security is neither purely technical nor purely procedural, but rather a mix of the two.
15. The security functionality defines the expected activities of a security mechanism, and assurance defines: A. The controls the security mechanism will enforce B. The data classification after the security mechanism has been implemented C. The confidence of the security the mechanism is providing D. The cost/benefit relationship
15. C. The functionality describes how a mechanism will work and behave. This may have nothing to do with the actual protection it provides. Assurance is the level of confidence in the protection level a mechanism will provide. When systems and mechanisms are evaluated, their functionality and assurance should be examined and tested individually.
16. Which statement is true when looking at security objectives in the privatebusiness sector versus the military sector? A. Only the military has true security. B. Businesses usually care more about data integrity and availability, whereas the military is more concerned with confidentiality. C. The military requires higher levels of security because the risks are so much higher. D. The business sector usually cares most about data availability and confidentiality, whereas the military is most concerned with integrity.
16. B. Although answer C may seem correct to you, it is a subjective answer. Businesses will see their threats and risks as being more important than another organization’s threats and risks. The military has a rich history of having to keep its secrets secret. This is usually not as important in the commercial sector relative to the military.
17. How do you calculate residual risk? A. Threats × risks × asset value B. (Threats × asset value × vulnerability) × risks C. SLE × frequency = ALE D. (Threats × vulnerability × asset value) × controls gap
17. D. The equation is more conceptual than practical. It is hard to assign a number to a vulnerability and a threat individually. This equation enables you to look at the potential loss of a specific asset, as well as the controls gap (what the specific countermeasure cannot protect against). What remains is the residual risk, which is what is left over after a countermeasure is implemented.
18. Which of the following is not a purpose of doing a risk analysis? A. Delegating responsibility B. Quantifying the impact of potential threats C. Identifying risks D. Defining the balance between the impact of a risk and the cost of the necessary countermeasure
18. A. The other three answers are the main reasons to carry out a risk analysis. An analysis is not carried out to delegate responsibilities. Management will take on this responsibility once the results of the analysis are reported to it and it understands what actually needs to be carried out.
19. Which of the following is not a management role in the process of implementing and maintaining security? A. Support B. Performing risk analysis C. Defining purpose and scope D. Delegating responsibility
19. B. The number one ingredient management must provide when it comes to security is support. Management should define the role and scope of security and allocate the funds and resources. Management also delegates who does what pertaining to security. It does not carry out the analysis, but rather is responsible for making sure one is done and that management acts on the results it provides.
20. Why should the team that will perform and review the risk analysis information be made up of people in different departments? A. To make sure the process is fair and that no one is left out. B. It shouldn’t. It should be a small group brought in from outside the organization because otherwise the analysis is biased and unusable. C. Because people in different departments understand the risks of their department. Thus, it ensures the data going into the analysis is as close to reality as possible. D. Because the people in the different departments are the ones causing the risks, so they should be the ones held accountable.
20. C. An analysis is only as good as the data that goes into it. Data pertaining to risks the company faces should be extracted from the people who understand best the business functions and environment of the company. Each department understands its own threats and resources, and may have possible solutions to specific threats that affect its part of the company.
21. Which best describes a quantitative risk analysis? A. A scenario-based analysis to research different security threats B. A method used to apply severity levels to potential loss, probability of loss, and risks C. A method that assigns monetary values to components in the risk assessment D. A method that is based on gut feelings and opinions
21. C. A quantitative risk analysis assigns monetary values and percentages to the different components within the assessment. A qualitative analysis uses opinions of individuals and a rating system to gauge the severity level of different threats and the benefits of specific countermeasures.
22. Why is a truly quantitative risk analysis not possible to achieve? A. It is possible, which is why it is used. B. It assigns severity levels. Thus, it is hard to translate into monetary values. C. It is dealing with purely quantitative elements. D. Quantitative measures must be applied to qualitative elements.
22. D. During a risk analysis, the team is trying to properly predict the future and all the risks that future may bring. It is somewhat of a subjective exercise and requires educated guessing. It is very hard to properly predict that a flood will take place once in ten years and cost a company up to $40,000 in damages, but this is what a quantitative analysis tries to accomplish.
23. If there are automated tools for risk analysis, why does it take so much time to complete? A. A lot of data must be gathered and input into the automated tool. B. Management must approve it and then a team must be built. C. Risk analysis cannot be automated because of the nature of the assessment. D. Many people must agree on the same data.
23. A. An analysis usually takes a long time to complete because of all the data that must be properly gathered. There are generally many different sources for this type of data, and properly extracting it is extremely time-consuming. In most situations, it involves setting up meetings with specific personnel and going through a question-and-answer process.
24. Which of the following is a legal term that pertains to a company or individual taking reasonable actions and is used to determine liability? A. Standards B. Due process C. Due care D. Downstream liabilities
24. C. A company’s or individual’s actions can be judged by the “Prudent Person Rule,” which looks at how a prudent or reasonable person would react in similar situations. Due care means to take these necessary actions to protect the company and its assets, customers, and employees. Computer security has many aspects pertaining to practicing due care. If management does not ensure these things are in place, it can be found negligent.
8. When is it acceptable to not take action on an identified risk? A. Never. Good security addresses and reduces all risks. B. When political issues prevent this type of risk from being addressed. C. When the necessary countermeasure is complex. D. When the cost of the countermeasure outweighs the value of the asset and potential loss.
8. D. Companies may decide to live with specific risks they are faced with if the cost of trying to protect themselves would be greater than the potential loss if the threat were to become real. Countermeasures are usually complex to a degree, and there are almost always political issues surrounding different risks, but these are not reasons to not implement a countermeasure.
x of y cards