Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CISSP > 1 - Information Security Governance and Risk Management > Flashcards

1 - Information Security Governance and Risk Management Flashcards

1
Q
  1. Which of the following is not an example of security control that ensures confidentiality?a. Data classificationb. Encryptionc. Restricting changes d. Network traffic padding
A

C: Restricting changes is an integrity protecting security mechanism.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q
  1. Who is ultimately responsible and liable if the security perimeter of an organization is violated by an intruder and asset losses occur?a. Senior managementb. Network or system administratorsc. Security guardsd. End users
A

A: Senior management is ultimately responsible and liable if the security perimeter of an organization is violated by an intruder and asset losses occur. Senior management is responsible for all aspects of security and is the primary decision maker. However, in most cases the implementation of security is delegated to lower levels of the authority hierarchy, such as the network or system administrators.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q
  1. Which of the following is not an example of a technical or logical security control?a. Encryptionb. Personnel screeningc. Identificationd. Access Control Lists
A

B: Personnel screening is an administrative security control. There are three types of security controls: administrative, physical, and logical or technical.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q
  1. Which of the following is an administrative security control?a. Personnel screeningb. Encryptionc. Authorizationd. Security guards
A

A: Personnel screening is an administrative security control

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q
  1. Which of the following is a technical security control?a. Standardsb. Security devices c. Door locksd. Personnel screening
A

B: Security devices are technical security controls.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q
  1. Which of the following is a physical security control?a. Logical access controlsb. Security awareness trainingc. Identificationd. Environmental controls
A

D: Environmental controls are physical security controls.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q
  1. Which of the following is the best personnel arrangement for the design and management of security for an organization?a. A single security professional from within the organizationb. A team of security professionals from the organizationc. A team of employees representing every department within the organization d. An outside consultant
A

B: The best personnel arrangement for the design and management of security for an organization is a team of internal security professionals.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q
  1. Which of the following is not a role or responsibility of the Security Administration team or group within an organization?a. Monitoring the security of the entire organizationb. Integrating security into the business environmentc. Identifying, valuating, and classifying assetsd. Approving the security policy.
A

D: Approving the security policy is the responsibility of senior management, not that of the Security Administration team or group within an organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q
  1. Who is ultimately responsible for negligence in protecting the assets of an organization?a. Senior managementb. Security teamc. IT departmentd. Data custodian
A

A: Senior management is ultimately responsible for implementing prudent due care and is liable for negligence in protecting the assets of an organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q
  1. Which of the following is not one of the three security control types that a security administrator can employ to manage and impose security?a. Administrativeb. Technicalc. Strategicd. Physical
A

C: Administrative, technical, and physical are the three security control types that a security administrator can employ to manage and impose security.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q
  1. Which of the following is not an element in the CIA triad?a. Availabilityb. Integrityc. Privacyd. Confidentiality
A

C: Confidentiality, integrity, and availability are the elements of the CIA triad.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q
  1. Which of the following is a valid definition for confidentiality?a. Unauthorized disclosure is prevented.b. Unauthorized modification is preventedc. Resources are accessible at all times by authorized users.d. Disasters can be recovered from quickly.
A

A: Confidentiality can be defined by “Unauthorized disclosure is prevented.”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q
  1. Which of the following is not a task assigned to a data owner?a. Assign classifications to datab. Dictate how information is to be protectedc. Delegate security responsibilities to data custodiansd. Implement security controls
A

D: Implementing security controls is the responsibility of the security administration team or data custodians, not senior management.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q
  1. A security administrator may employ all but which of the following types of controls to implement a security solution?a. executiveb. administrativec. technicald. physical
A

A: Executive is not a valid type of security control. The three valid types of security control are administrative, technical (or logical), and physical.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q
  1. Which of the following is an example of an administrative security control?a. security guardsb. policiesc. locksd. intrusion detection systems
A

B: Policies are an example of an administrative security control.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q
  1. Which of the following is not an example of an administrative security control?a. Standardsb. Guidelinesc. Identificationd. Personnel screening
A

C: Identification is an example of a logical/technical security control.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q
  1. Which of the following is not one of the fundamental principles of security included in the CIA triad?a. Confidentialityb. Integrityc. Accountabilityd. Availability
A

C: While accountability is an important part of IT security, it is not one of the three fundamental principles of security included in the CIA triad, which includes Confidentiality, Integrity and Availability.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q
  1. The ability of a computer system to provide adequate capacity for predictable performance represents which of the fundamental security principles of the CIA triad?a. Confidentialityb. Integrityc. Accountabilityd. Availability
A

D: The ability of a computer system to provide adequate capacity for predictable performance is an example of Availability.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q
  1. Which of the following is not an example of a physical security control?a. Dogsb. Fencingc. Biometric authenticationd. Badge IDs
A

C: Biometric authentication is an example of a technical/logical security control.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q
  1. Which of the following is not an example of a valid activity of security management?a. Evaluating the loss of productivity due to restrictions imposed by the security solutionb. Manage user complaints of access restrictions or resource unavailability, by fine tuning least privilege accessc. Proposing to senior management the alteration or rescinding of a security policyd. Deploy a new security control in a mission critical environment
A

D: It is not a good security management practice to implement new security controls, especially in mission critical environments, before that control has been thoroughly tested.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q
  1. Which of the following is an example of a technical security control?a. proceduresb. awareness trainingc. perimeter lightingd. encryption
A

D: Encryption is an example of a technical/logical security control.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q
  1. Which of the following is not an example of a technical security control?a. Fire detection and suppressionb. Access control matrixc. Authorizationd. Traffic filtering
A

A: Fire detection and suppression is an example of a physical security control.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q
  1. Which of the following is an example of a physical security control?a. Rules based access controlsb. CCTVc. Exit interviewsd. Traffic tunneling
A

B: CCTV is an example of a physical security control.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q
  1. Which of the following is an example of a security control that focuses on maintaining availability?a. Encrypted transport of datab. Quick recovery from faultsc. Fixed packet length transmissionsd. User awareness training
A

B: Quick recovery from faults is an example of a security control that focuses on maintaining availability.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q
  1. Which of the following is not an example of a security control that focuses on maintaining availability?a. clustered machinesb. avoiding single points of failurec. implementing need to know access controlsd. controlling the environmental characteristics
A

C: Implementing need to know access controls is an example of a security control that focuses on maintaining confidentiality.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q
  1. What is a vulnerability?a. The likelihood that a system will experience a security breachb. instance of being exposed to losses from a threat agentc. A potential danger to information or systemsd. The absence or weakness of a safeguard that could be exploited
A

D: A vulnerability is the absence or weakness of a safeguard that could be exploited.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q
  1. Which of the following is not an example of a security control that focuses on maintaining confidentialitya. Data encryptionb. access controlc. change restrictionsd. personnel training
A

C: Change restrictions is an example of a security control that focuses on maintaining integrity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q
  1. Which of the following is an example of a security control that focuses on maintaining integrity?a. Network monitoringb. Denial of service attack protectionc. data classificationd. Encryption of data in transit
A

D: Encryption of data in transit is an example of a security control that focuses on maintaining integrity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q
  1. Which of the following is not an example of a security control that focuses on maintaining integrity?a. Network monitoringb. Managing alterations to data in a databasec. Validating input datad. Message Digest
A

A: Network monitoring is an example of a security control that focuses on maintaining availability.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q
  1. For a security policy to be effective and comprehensive, it must thoroughly address the three fundamental principles of security, which are?a. Confidentiality, Integrity, Availabilityb. Confinement, Integrity, Accessibilityc. Corroboration, Interrogation, Authorizationd. Continuity, Intelligence, Authentication
A

A: The three fundamental principles of security are Confidentiality, Integrity, and Availability.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q
  1. Which of the following is an example of a security control that focuses on maintaining confidentiality?a. controlled interface to access datab. network traffic paddingc. input validity verificationd. backups
A

B: Network traffic padding is an example of a security control that focuses on maintaining confidentiality.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q
  1. Which of the following is not an example of a risk?a. Failing to review audit logsb. Failing to enforce password policyc. Not updating anti-virus softwared. Not filtering traffic on border communication links
A

A: Failing to review audit logs is not a risk, but it does show a lack of compliance with a realistic security policy. Audit logs will often reveal when a risk has become an actual intrusion or attack.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q
  1. Which of the following is not a method by which risk is reduced or eliminated?a. Applying a safeguardb. Waitingc. Removing the vulnerabilityd. Blocking the threat agent
A

B: Waiting is not a valid response to risk and waiting will not reduce risk.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q
  1. An instance of being exposed to losses from a threat is known as?a. Vulnerabilityb. Single loss expectancyc. Exposured. Breach
A

C: Exposure is an instance of being exposed to losses from a threat.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q
  1. Which of the following is not an example of a vulnerability?a. Assigning all users access based on job descriptionsb. Modems on clientsc. Open portsd. Access to the server room
A

A: Assigning all users access based on job descriptions is a valid form of security control, however it is not an example of a vulnerability.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q
  1. Which of the following is an example of a vulnerability?a. Restricting access to authorized usersb. Failing to enforce the password policyc. Filtering traffic at all communication bordersd. Implementing physical access restrictions
A

B: Failing to enforce the password policy is an example of a vulnerability.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q
  1. Which of the following is not an example of a threat?a. Intruder access through a firewallb. Activities that violate the security policyc. A biometric device failing to authenticate a valid userd. A natural disaster that destroys the IT infrastructure
A

C: A biometric device failing to authenticate a valid user is a False Rejection (Type I) error, but it is not a threat.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q
  1. Which of the following is an example of a threat?a. Blocking all attachments at the e-mail gatewayb. Scanning for malicious codec. Performing vulnerability assessment without senior management approvald. A user destroying confidential data
A

D: A user destroying confidential data is an example of a threat.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q
  1. Which of the following is not true regarding an operational security plan?a. includes an approved software listb. integrates the elements of other plansc. defines short term tasks necessary to the accomplishing of objectivesd. prescribes a logical sequence of initiatives
A

A: A system specific plan includes an approved software list.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q
  1. The purpose of a safeguard is to?a. Remove a threat agentb. Enhance an exposurec. Update a security policyd. Reduce or remove a vulnerability
A

D: A safeguard’s purpose is to reduce or remove a vulnerability.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q
  1. Which of the following is not an example of a safeguard?a. Relaxing the filters on a firewallb. Imposing strong password managementc. Deploying security guardsd. Enable BIOS passwords
A

A: Relaxing the filters on a firewall is the removal of a safeguard.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q
  1. The top down approach to security management provides for all but which of the following?a. provides for policy initiation, support, and directionb. provides for assignment of responsibility to down-level administratorsc. provides for development and implementation of standards, guidelines, and proceduresd. provides for development of security control configurations
A

B: The top down approach to security management does not provide for the assignment of responsibility to down-level administrators. Senior management is always ultimately responsible for the success or failure of the security policy and resulting security solution.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q
  1. Which of the following is not an example of a risk?a. Human errorb. Equipment malfunctionc. Replacing human security guards with dogsd. Disgruntled insider
A

C: Replacing human security guards with dogs is a change in a security access control, it is not an example of a risk.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q
  1. Risk is the ______________ of something happening that will damage assetsa. certaintyb. evaluationc. preventiond. possibility
A

D: Risk is the possibility of something happening that will damage assets.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q
  1. When will risk be totally eliminated?a. When the organization ceases to existb. When the security policy is properly implementedc. When all systems are powered downd. When all users have completed security awareness training
A

A: Risk will be totally eliminated only when the organization ceases to exist.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q
  1. Which of the following represent the primary security factors that a private sector organization is concerned about?a. data confidentiality and integrityb. data availability and integrityc. data non-repudiation and encryptiond. data availability and confidentiality
A

B: Private sector organizations are primarily concerned about data availability and integrity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q
  1. The most important aspect of security to military organizations is?a. integrityb. non-repudiationc. confidentialityd. availability
A

C: Confidentiality is the most important aspect of security to military organizations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
48
Q
  1. What is the primary goal of risk management?a. Remove all riskb. Perform a qualitative analysis of riskc. Remove liability from senior managementd. Reduce risk to an acceptable level
A

D: The primary goal of risk management is to reduce risk to an acceptable level.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
49
Q
  1. An effective safeguard, when evaluated via risk analysis, should?a. cost less than the loss possible via the riskb. offer a complete solution for an individual specified riskc. be invisible to the userd. allow itself to be removed easily
A

A: An effective safeguard from a risk analysis perspective is that the safeguard should cost less than the cost of the loss due to the risk.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
50
Q
  1. All but which of the following apply to senior management in relation to risk analysis?a. Directs and supports risk analysisb. Is a member of the Risk Assessment teamc. Acts appropriately upon the resultsd. Reviews the outcome of the analysis
A

B: The Risk Assessment Team should be comprised of a representative from most or all departments, not necessarily senior management.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
51
Q
  1. The first step in risk analysis is?a. countermeasure Selectionb. cost/benefit analysisc. asset valuationd. qualitative analysis of risk
A

C: Asset valuation is the first step in risk analysis. If assets have no value, there is no need to protect them.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
52
Q
  1. Risk management attempts to reduce risk to an acceptable level by performing all but which of the following activities?a. Track down intruders for prosecutionb. Analyze the probability of attack occurrencec. Predict the impact of a breachd. Evaluate safeguards
A

A: Tracking down intruders for prosecution is not function or element of risk management, it is possibly a factor in intrusion detection.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
53
Q
  1. Which of the following is not an example of a risk?a. physical damageb. blocking portsc. misuse of data d. buffer overflow
A

B: Blocking ports is a safeguard, not a risk.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
54
Q
  1. The value of an asset helps to determine?a. length of time committed to performing qualitative analysisb. whether or not to perform a quantitative analysisc. whether a logical or a technical control is evaluatedd. the relative strength and cost of the safeguard
A

D: The value of an asset helps to determine the relative strength and cost of the safeguard selected to protect it.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
55
Q
  1. Which of the following is not considered an element in determining the cost of an asset?a. cost to train personnel to employb. cost to developc. cost to acquired. cost to maintain
A

A: The cost to train personnel to employ is not as relevant as the costs to develop, acquire, and maintain an asset when determining the cost of an asset. Training costs are often difficult to quantify since training on any specific asset is typically grouped in training regarding overall IT interaction. While this answer is technically correct, it is the least correct answer of those offered.

56
Q
  1. Which of the following is not considered an element in determining the cost of an asset?a. cost to protectb. cost in MB in hard drive storage requirementsc. value to owners and usersd. value to competitors
A

B: The cost in actual MB size is not as relevant as the cost for overall storage and maintenance in the determination of the cost of an asset. While this answer is technically correct, it is the least correct answer of those offered.

57
Q
  1. The purpose of risk management is?a. safeguard evaluationb. risk mitigationc. loss estimationd. remove all risk
A

B: The purpose of risk management is risk mitigation. However, even in the most successful implementation, there is always some level of risk.

58
Q
  1. Risk analysis is used to determine whether safeguards are all but which of the following?a. cost effectiveb. relevantc. exhaustived. timely
A

C: No safeguard is exhaustive of all risks.

59
Q
  1. The objectives of risk analysis include all but which of the following?a. identify riskb. quantify the impact of each riskc. evaluate the cost effectiveness of safeguardsd. select countermeasures to implement
A

D: Risk analysis is used to compare safeguards, but it does not select the countermeasure to implement. Countermeasure Selection is left to the decision makers, i.e. senior management or their delegated administrators.

60
Q
  1. An exposure factor is?a. the amount of loss that would be incurred due to the compromise of an assetb. the instance of being exposed to losses from a threat agent.c. percentage of loss that a realized threat event would cause against a specific assetd. the likelihood that a system will experience a security breach
A

C: An exposure factor is the percentage of loss that a realized threat event would cause against a specific asset.

61
Q
  1. The annualized loss expectancy can be calculated using which of the following equations?a. exposure factor x annualized rate of occurrenceb. asset value x exposure factorc. asset value x risk probability x safeguard benefitd. asset value x exposure factor x annualized rate of occurrence
A

D: The annualized loss expectancy can be calculated using asset value x exposure factor x annualized rate of occurrence. It can also be calculated using single loss expectancy x annualized rate of occurrence.

62
Q
  1. Which of the following is not considered an element in determining the cost of an asset?a. cost to replaceb. cost in productivity if asset is unavailablec. the file formats used by the assetd. liability if asset is compromised
A

C: The file formats used by the asset are typically not an element in determining the cost of an asset.

63
Q
  1. Determining the value of an asset can be useful in all but which of the following requirements or activities?a. cost/benefit analysis of safeguardsb. determining the exposure to a threatc. insurance inventoryd. assigning classifications
A

B: Asset valuation is useful in assigning classifications. Cost/Benefit analysis can determine which safeguards to select. How much insurance to get to cover a particular asset. Exposure to a threat would not be determined by asset value.

64
Q
  1. A quantitative risk analysis approach employs which of the following?a. A specific dollar value is assigned to each riskb. Opinions about risks are collected from various departmentsc. Scenarios are used to evaluate safeguardsd. Guesswork
A

A: A quantitative risk analysis approach employs specific dollar values assigned to each risk.

65
Q
  1. Which of the following is not true?a. Quantitative analysis assigns real numbers and concrete probability percentages.b. A purely quantitative risk analysis is possible.c. Quantitative analysis can be automated.d. Qualitative analysis involves significantly less time and effort than a quantitative approach.
A

B: A purely quantitative risk analysis is not possible, since it is not possible to quantify all qualitative items.

66
Q
  1. What form of qualitative risk analysis employs a group of people who reach a consensus through an anonymous means of voting and exchanging ideas?a. Delphi techniqueb. brainstormingc. storyboardingd. surveys
A

A: The Delphi technique is a form of qualitative risk analysis that employs a group of people who reach a consensus through an anonymous means of voting and exchanging ideas.

67
Q
  1. Which of the following is not a method used in qualitative risk analysis?a. focus groupb. automated softwarec. one-on-one meetingd. checklist
A

B: Quantitative, not qualitative, risk analysis can be automated with software.

68
Q
  1. The value of a safeguard to an organization can be calculated using a formula which includes all but which of the following factors?a. Annual loss expectancy before safeguardb. Annual loss expectancy after implementing the safeguardc. Residual riskd. Annual cost of safeguard
A

C: Residual risk is not used in the formula for calculating the value of a safeguard, instead it is the calculation of risk remaining after safeguards are implemented.

69
Q
  1. What element in a formalized security infrastructure consists of documents that are compulsory in nature?a. Recommendationsb. Guidelinesc. Standardsd. Policies
A

C: Standards are primarily compulsory in nature.

70
Q
  1. Which of the following describes the practice of a formalized security infrastructure?a. Defines recommended actionsb. Used when specific standards do not applyc. Serves as operational guides for IT staffd. Details step-by-step activities
A

D: Procedures detail step-by-step activities, not guidelines.

71
Q
  1. If _____________________________________, managers can be held liable for negligence and held accountable for asset losses.a. a company does not practice due care and due diligenceb. a company properly implements a security policyc. a senior manager does not sign off on a change to the security policyd. an analysis team does not update the business continuity plan
A

A: If a company does not practice due care and due diligence, managers can be held liable for negligence and held accountable for asset losses.

72
Q
  1. Which of the following is not an accepted response to the results of risk analysis?a. Reduceb. Rejectc. Assignd. Accept
A

B: Rejecting risk is not an accepted response to the results of risk analysis.

73
Q
  1. Which response to risk can be implemented by purchasing insurance against loss?a. Reduceb. Rejectc. Assignd. Accept
A

C: Assigning risk can be implemented by purchasing insurance against loss

74
Q
  1. Which of the following is not a valid example of assigning risk?a. purchasing insuranceb. implementing a service level agreement with a vendorc. crafting a disaster recovery pland. delegating responsibility for security policy implementation
A

D: Delegating security policy implementation responsibilities is not a valid example of assigning risk. Risk remains the responsibility of senior management, it cannot be delegated.

75
Q
  1. What security mechanism is primarily responsible for implementing security controls that protect data in the most cost-effective manner?a. need to knowb. data classificationc. traffic filteringd. intrusion detection
A

B: Data classification is the security mechanism that is primarily responsible for implementing security controls that protect data in the most cost-effective manner.

76
Q
  1. Which of the following is not one of the five standard data classifications used by the military?a. Confidentialb. Secretc. Privated. Sensitive
A

C: Private is a data classification used by the private sector (i.e. corporate business), not the military.

77
Q
  1. What level of private sector data classification represents assets that if disclosed will not cause an adverse impact?a. Confidentialb. Privatec. Sensitived. Public
A

D: The public data classification represents assets that if disclosed will not cause an adverse impact.

78
Q
  1. What is the difference between total risk and residual risk?a. one can be completely eliminatedb. neither one can be managed with safeguardsc. neither is directly quantifiable d. one is calculated by knowing the controls gap
A

D: Residual risk is what remains after selected safeguards are applied (i.e. controls gap). Residual risk = total risk - controls gap.

79
Q
  1. Acceptable risk is?a. The amount of risk an organization is willing to shoulderb. Residual riskc. Any risk that cannot be addressed by safeguardsd. All risks that have an exposure factor of less than 10%
A

A: Acceptable risk is the amount of risk an organization is willing to shoulder.

80
Q
  1. What form of security policy outlines the laws and industry restrictions placed upon an organization?a. Advisoryb. Regulatoryc. Informatived. Organizational
A

B: Regulatory security policies outline the laws and industry restrictions placed upon an organization.

81
Q
  1. A vulnerability is?a. A potential danger to a systemb. The likelihood of an attackc. The absence of a safeguard d. An instance of being exposed to loss
A

C: The absence of a safeguard is a vulnerability.

82
Q
  1. Which of the following is not a vulnerability?a. Unrestricted dial-in modemsb. Open portsc. Absence of a password policyd. Human error
A

D: Human error is a threat not a vulnerability

83
Q
  1. Which of the following is not a threat?a. An intruder gaining access through a firewallb. Not inspecting the fire suppression systemc. An activity that violates the security policy.d. Destruction of a data center by a natural disaster.
A

B: Not inspecting the fire suppression system is an exposure.

84
Q
  1. Which of the following is a valid definition for integrity?a. Unauthorized disclosure is prevented.b. Unauthorized modification is preventedc. Resources are accessible at all times by authorized users.d. Disasters can be recovered from quickly.
A

B: Integrity can be defined by “Unauthorized modification is prevented.”

85
Q
  1. Which of the following is a valid definition for availability?a. Unauthorized disclosure is prevented.b. Unauthorized modification is preventedc. Resources are accessible at all times by authorized users.d. Mistakes made by authorized personnel are prevented.
A

C: Availability can be defined by “Resources are accessible at all times by authorized users.”

86
Q
  1. How can risk be reduced?a. Removing the vulnerability or removing the threat agentb. Adjusting proceduresc. Installing fake security camerasd. Logging system activity
A

A: Removing the vulnerability or removing the threat agent will reduce risk

87
Q
  1. Which of the following is not used to mitigate a potential risk?a. Countermeasureb. Safeguardc. Activity loggingd. Software update or patch
A

C: Activity logging is not used to mitigate potential risk, as least not directly.

88
Q
  1. Which of the following is the best definition for countermeasures and safeguards?a. Eliminates exposure through configuration changesb. Blocks intrusion attemptsc. Blocks damage by malicious coded. Reduces the risk of a threat taking advantage of a vulnerability
A

D: Reduces the risk of a threat taking advantage of a vulnerability is the best definition offered in this question for countermeasures and safeguards.

89
Q
  1. Which of the following is a security control that ensures availability?a. Encrypting data.b. Blocking DoS attacksc. Checking for valid input.d. Training personnel
A

B: Blocking DoS attacks ensures availability.

90
Q
  1. Which of the following is typically not considered a countermeasure or safeguard?a. A night watchmanb. Punching through a firewall for VPN connectionsc. BIOS passwordsd. OS based access controls
A

B: Punching through a firewall for VPN connections is not a safeguard or countermeasure and may introduce new vulnerabilities.

91
Q
  1. Who within an organization is responsible for establishment of the foundations of security as well as ongoing support and direction?a. Security support staffb. IT departmentc. Upper or senior managementd. System administrations
A

C: Upper or senior management is responsible for establishment of the foundations of security as well as ongoing support and direction.

92
Q
  1. Who within an organization is responsible for the development and management of standards, guidelines, and procedures?a. Senior managementb. Middle managementc. IT departmentd. System administrators
A

B: Middle management is responsible for the development and management of standards, guidelines, and procedures.

93
Q
  1. What aspect of an asset determines whether it should be protected and to what extent that protection should extend?a. accessibility b. data typec. Valued. Accuracy
A

C: The value of asset determines its need for security.

94
Q
  1. Which of the following is typically not included in the valuation of an asset?a. Cost to acquire or developb. Value to owners and usersc. Intellectual propertyd. Cost to store and serve to authorized users
A

D: The cost to store and serve an asset is not included in the value evaluation of an asset, that is considered a cost of the infrastructure.

95
Q
  1. What is the primary security purpose for mandatory week long minimum yearly vacations?a. Prevent buildup of excessive vacation timeb. To prevent burnoutc. To simplify job rotationsd. To allow for auditing
A

D: Mandatory vacations are used to perform auditing.

96
Q
  1. Who is responsible for assigning data classifications?a. Data custodianb. Data ownerc. Data creatord. End user
A

B: The data owner is responsible for assigning data classification.

97
Q
  1. Which of the following is not a goal of risk analysis?a. Expand security awareness training.b. Identify all possible risks to an environmentc. Quantify the impact or cost of potential threatsd. Provide a cost/benefit analysis of countermeasures and safeguards
A

A: Expanding security awareness training is not a goal of risk analysis.

98
Q
  1. Guidelines serve all but which of the following purposes within an organization’s formalized security structure?a. A step-by-step implementation manualb. Introduce methodologies for handling various security issuesc. Provide recommended courses of action for security problemsd. Operational guides for the IT staff
A

A: Guidelines do not serve as step-by-step implementation manuals.

99
Q
  1. A ________________ is a document that includes general statements about the overall state of security for an organization. Senior management creates this document.a. Procedureb. Guideline c. Standard d. Policy
A

D: A policy is a document that includes general statements about the overall state of security for an organization. Senior management creates this document.

100
Q
  1. All but which of the following are characteristics of an effective security plan?a. Achievableb. Specificc. Inexpensived. Clearly stated
A

C: Implementing cost effective safeguards is an aspect of a security plan, but not all safeguards or security mechanisms are inexpensive. The cost is not a characteristic of an efficient security plan.

101
Q
  1. What is the formula used to derive annualized loss expectancy?a. Asset value x Exposure Factor x Annualized Rate of Occurrenceb. Asset Value x Annualized Rate of Occurrencec. Asset Value x Exposure Factord. Exposure Factor x Annualized Rate of Occurrence
A

A: Asset value x Exposure Factor x Annualized Rate of Occurrence or Single Loss Expectancy x Annualized Rate of Occurrence is the formula for the Annualized Loss Expectancy.

102
Q
  1. The security model employed by an organization depends upon their primary needs. What is the primary need of a government or military organization?a. Risk avoidanceb. Integrityc. Availability d. Confidentiality
A

D: Confidentiality is the primary need of government and military organizations.

103
Q
  1. Baselines are used for all but which of the following within an organization’s formalized security structure.a. Establish a minimal level of security throughout the organizationb. Establish the basis for standardsc. As a starting point for security auditsd. As an operational guide for users
A

D: Baselines are not used as operational guides.

104
Q
  1. Which element of a formalized security structure is positioned just above actual implementation and which defines the steps or actions required to deploy security in an organization?a. Guidelineb. Procedurec. Policyd. Standard
A

B: A procedure is positioned just above actual implementation and which defines the steps or actions required to deploy security in an organization.

105
Q
  1. Which of the following statements is true?a. A purely quantitative risk analysis can be performed by the risk assessment team.b. A quantitative analysis requires the subjective input from users.c. A purely quantitative risk analysis cannot be performed since qualitative aspects cannot be quantified.d. Qualitative analysis requires specific dollar valuations of assets to be successful.
A

C: A purely quantitative risk analysis cannot be performed since qualitative aspects cannot be quantified.

106
Q
  1. The greatest number of threats to the assets of an organization come from where?a. Inside the organizationb. Malicious codec. The Internetd. Hardware failures
A

A: The greatest number of threats to the assets of an organization come from inside the organization (over 85%).

107
Q
  1. Which of the following is not a task that should be performed by the risk assessment/risk analysis team?a. Perform a threat analysisb. Estimate the potential for each risk to be realizedc. To implement an appropriate countermeasured. Assign values to assets
A

C: To implement an appropriate countermeasure is not a task of the risk assessment team. They are only to provide cost/analysis of countermeasures. It is the responsibility of management to select an appropriate countermeasure based on the analysis and assign the implementation procedure to the security management/administration team.

108
Q
  1. Who is held liable for an organization’s failure to perform due care and due diligence?a. End usersb. IT staffc. Senior managementd. Security team
A

C: The senior management is held liable for the failure to perform due care and due diligence.

109
Q
  1. What is the cardinal rule of risk analysis?a. All safeguards must be properly budgeted. b. Only safeguards with the highest rate of risk mitigation should be employed.c. Only safeguards with a high ratio of risk mitigation to cost should be implemented.d. The annual cost of safeguards should not exceed the possible annual cost of the loss of an asset.
A

D: The annual cost of safeguards should not exceed the possible annual cost of the loss of an asset is the cardinal rule of risk analysis.

110
Q
  1. Which of the following risk analysis approaches assigns real numbers to the costs of asset loss and countermeasure implementation?a. Operational analysisb. Quantitative analysisc. Procedural analysisd. Qualitative analysis.
A

B: Quantitative analysis assigns real numbers to the costs of asset loss and countermeasure implementation.

111
Q
  1. Which of the following military data classification levels is used to label assets that may cause serious damage to national security if that asset was disclosed?a. Top Secretb. Secretc. Unclassifiedd. Classified
A

B: Secret assets may cause serious damage to national security if that asset was disclosed.

112
Q
  1. What security mechanism is often employed as the primary defense against collusion?a. Job rotationb. Separation of dutiesc. Activity loggingd. Forced vacations
A

A: Job rotation is the primary defense against collusion.

113
Q
  1. In the formula for calculating residual risk, what does the controls gap element represent?a. Vulnerabilityb. Potential of risk realizationc. Countermeasures and safeguardsd. Cost of risk analysis
A

C: The controls gap represents countermeasures and safeguards.

114
Q
  1. Which of the following commercial business data classification levels represents the most sensitive collection of assets?a. Confidentialb. Privatec. Sensitived. Public
A

A: The confidential classification represents the most sensitive collection of assets.

115
Q
  1. Standards are used for what purpose in a formalized security structure?a. To implement industry regulationsb. To detail the overall scope and vision of security for an organizationc. To establish uniformity across an organizationd. To define the actual processes used to implement security
A

C: Standards are used to establish uniformity across an organization.

116
Q
  1. Which qualitative analysis method is a group decision method that seeks a consensus while retaining the anonymity of the participants? a. Delphi techniqueb. Brainstormingc. Storyboardingd. Surveys
A

A: Delphi Technique

117
Q
  1. All but which of the following statements are true in regards to security awareness training?a. Employees gain a basic understanding of the organization’s security policyb. Often helps employees obtain certificationsc. Helps reduce fraud and circumvention of security mechanisms. d. Can be performed in lectures, through newsletters, via posters, or with mouse pads.
A

B: Obtaining certifications is not a function of Security Awareness Training.

118
Q
  1. What is the most important aspect of the exit interview for terminated employees?a. Reviewing non-disclosure agreementsb. Updating the job descriptionc. Returning personal propertyd. Escorted removal from the property.
A

A: The most important aspect of the exit interview is to review non-disclosure agreements.

119
Q
  1. Which of the following is not a reason, benefit, or requirement to perform asset valuation?a. Reduces hosting costsb. Useful in countermeasure selectionc. Insurance coverage identificationd. Prevent due care negligence
A

A: Asset valuation does not typically improve asset hosting costs.

120
Q
  1. The risk assessment team should be comprised …a. Of only managementb. Of members from every department or divisionc. Of only IT staffd. Of only volunteers
A

B: The risk assessment team should include members from every department or division. This often requires assigning or appointing team membership rather than relying on volunteers.

121
Q
  1. Risk analysis is used to ensure all but which of the following?a. That security is cost effective.b. That security is relevant to the organization.c. That security completely protects an environment.d. That security is responsive to threats.
A

C: No system is 100% risk free.

122
Q
  1. What is the weakest element in an organization’s security?a. Security policyb. Data classification schemesc. Security control mechanismsd. People
A

D: People are the weakest element in an organization’s security.

123
Q
  1. Which of the following is true?a. All risks can be eliminated.b. All security configurations reduce risk.c. Risk reduction requires IDSd. No system can be 100% risk free.
A

D: No system can be 100% risk free.

124
Q
  1. The security model employed by an organization depends upon their primary needs. What are the primary needs of a private sector business?a. Confidentiality and Integrityb. Confidentiality and Availabilityc. Integrity and Availabilityd. Access Control and Risk avoidance
A

C: The primary needs of a private sector business are integrity and availability.

125
Q
  1. Which of the four possible responses to the identification and cost/benefit analysis of risk is considered an invalid response?a. Acceptb. Rejectc. Reduced. Assign
A

B: Reject is considered an invalid response.

126
Q
  1. Who is responsible for protecting the confidentiality, integrity, and availability of data?a. Senior managementb. Data ownerc. Data custodiand. End user
A

C: The data custodian is responsible for protecting the confidentiality, integrity, and availability of data.

127
Q
  1. What type of policy is not enforceable?a. Informativeb. Regulatoryc. Administratived. Organizational
A

A: Informative policies cannot be enforced.

128
Q
  1. Identification establishes ____________.a. Authenticationb. Authorization c. None of the choicesd. Accountability
A

D: Accountability. Identification is a means to verify who you are. It enables systems to trace activities to individual users that may be held responsible for their actions.

129
Q
  1. Which of the following is not a type of risk?a. Equipment failureb. Backup media verificationc. Human errord. Intrusion attempt
A

B: Backup media verification is not a type of risk, rather it is a safeguard to ensure the viability of backup restorations.

130
Q
  1. How is the value of a safeguard determined?a. Its implementation costs are calculatedb. Annual Loss Expectancy before the safeguard - Annual Loss Expectancy after the safeguard - cost of implementing safeguardc. Subjective analysis by end-usersd. Risk reduction caused by the safeguard
A

B: Annual Loss Expectancy before the safeguard - Annual Loss Expectancy after the safeguard - cost of implementing safeguard is the method used to calculate the value of a safeguard.

131
Q
  1. The percentage of loss of the value of an asset, which an organization would incur if a threat event was realized, is known as?a. Annualized loss expectancyb. Annualized rate of occurrencec. Single loss expectancyd. Exposure factor
A

D: The exposure factor is the percentage of loss of the value of an asset, which an organization would incur if a threat event was realized.

132
Q
  1. In the realm of risk analysis, senior management is responsible for all but which of the following?a. Performing the cost/benefit analysisb. Defines the scope of the risk analysis processc. Appoints the risk assessment teamd. Acts on the results of the analysis
A

A: The risk assessment team, not senior management, is responsible for performing the cost/benefit analysis.

133
Q
  1. Job rotation as a security mechanism has shown itself effective against which of the following?a. Fraudb. Data modificationc. Collusiond. Misuse of information
A

C: Job rotation is directly affective against collusion.

134
Q
  1. The likelihood of a threat taking advantage of a vulnerability is known as?a. Riskb. Exposurec. Mitigationd. Attack
A

A: Risk is the likelihood of a threat taking advantage of a vulnerability.

135
Q
  1. The security administration team should be responsible for all but which of the following?a. creation of a clear and efficient reporting processb. monitoring the security of an organizationc. approve the security policyd. identify the strengths and weaknesses of a security solution
A

C: Approving the security policy is the responsibility of senior management, not the security administration team.

CISSP (10 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions