Chapter 1 Master Flashcards
Alyssa is responsible for her organization’s security awareness program. She is concerned that changes in technology may make the content outdated. What control can she put in place to protect against this risk?
A. Gamification
B. Computer-based training
C. Content reviews
D. Live training
C. Content reviews
Gavin is creating a report to management on the results of his most recent risk assessment. In his report, he would like to identify the remaining level of risk to the organization after adopting security controls. What term best describes this current level of risk?
A. Inherent risk
B. Residual risk
C. Control risk
D. Mitigated risk
B. Residual risk
Francine is a security specialist for an online service provider in the United States. She recently received a claim from a copyright holder that a user is storing information on her service that violates the third party’s copyright. What law governs the actions that Francine must take?
A. Copyright Act
B. Lanham Act
C. Digital Millennium Copyright Act
D. Gramm Leach Bliley Act
C. Digital Millennium Copyright Act
FlyAway Travel has offices in both the European Union (EU) and the United States and transfers personal information between those offices regularly. They have recently received a request from an EU customer requesting that their account be terminated. Under the General Data Protection Regulation (GDPR), which requirement for processing personal information states that individuals may request that their data no longer be disseminated or processed?
A. The right to access
B. Privacy by design
C. The right to be forgotten
D. The right of data portability
C. The right to be forgotten
- After conducting a qualitative risk assessment of her organization, Sally recommends purchasing cybersecurity breach insurance. What type of risk response behavior is she recommending?
A. Accept
B. Transfer
C. Reduce
D. Reject
B. Transfer
Which one of the following elements of information is not considered personally identifiable information that would trigger most United States (U.S.) state data breach laws?
A. Student identification number
B. Social Security number
C. Driver’s license number
D. Credit card number
A. Student identification number
Renee is speaking to her board of directors about their responsibilities to review cybersecurity controls. What rule requires that senior executives take personal responsibility for information security matters?
A. Due diligence rule
B. Personal liability rule
C. Prudent man rule
D. Due process rule
C. Prudent man rule
Henry recently assisted one of his co-workers in preparing for the CISSP exam. During this process, Henry disclosed confidential information about the content of the exam, in violation of Canon IV of the Code of Ethics: “Advance and protect the profession.” Who may bring ethics charges against Henry for this violation?
A. Anyone may bring charges.
B. Any certified or licensed professional may bring charges.
C. Only Henry’s employer may bring charges.
D. Only the affected employee may bring charges.
B. Any certified or licensed professional may bring charges.
Wanda is working with one of her organization’s European Union business partners to facilitate the exchange of customer information. Wanda’s organization is located in the United States. What would be the best method for Wanda to use to ensure GDPR compliance?
A. Binding corporate rules
B. Privacy Shield
C. Standard contractual clauses
D. Safe harbor
C. Standard contractual clauses
Yolanda is the chief privacy officer for a financial institution and is researching privacy requirements related to customer checking accounts. Which one of the following laws is most likely to apply to this situation?
A. GLBA
B. SOX
C. HIPAA
D. FERPA
A. GLBA
Tim’s organization recently received a contract to conduct sponsored research as a government contractor. What law now likely applies to the information systems involved in this contract?
A. FISMA
B. PCI DSS
C. HIPAA
D. GISRA
A. FISMA
Chris is advising travelers from his organization who will be visiting many different countries overseas. He is concerned about compliance with export control laws. Which of the following technologies is most likely to trigger these regulations?
A. Memory chips
B. Office productivity applications
C. Hard drives
D. Encryption software
D. Encryption software
Bobbi is investigating a security incident and discovers that an attacker began with a normal user account but managed to exploit a system vulnerability to provide that account with administrative rights. What type of attack took place under the STRIDE threat model?
A. Spoofing
B. Repudiation
C. Tampering
D. Elevation of privilege
D. Elevation of privilege
You are completing your business continuity planning effort and have decided that you want to accept one of the risks. What should you do next?
A. Implement new security controls to reduce the risk level.
B. Design a disaster recovery plan.
C. Repeat the business impact assessment.
D. Document your decision-making process.
D. Document your decision-making process.
You are completing a review of the controls used to protect a media storage facility in your organization and would like to properly categorize each control that is currently in place. Which of the following control categories accurately describe a fence around a facility? (Select all that apply.)
A. Physical
B. Detective
C. Deterrent
D. Preventive
A. Physical
C. Deterrent
D. Preventive
Tony is developing a business continuity plan and is having difficulty prioritizing resources because of the difficulty of combining information about tangible and intangible assets. What would be the most effective risk assessment approach for him to use?
A. Quantitative risk assessment
B. Qualitative risk assessment
C. Neither quantitative nor qualitative risk assessment
D. Combination of quantitative and qualitative risk assessment
D. Combination of quantitative and qualitative risk assessment
Vincent believes that a former employee took trade secret information from his firm and brought it with him to a competitor. He wants to pursue legal action. Under what law could he pursue charges?
A. Copyright law
B. Lanham Act
C. Glass-Steagall Act
D. Economic Espionage Act
D. Economic Espionage Act
Which one of the following principles imposes a standard of care upon an individual that is broad and equivalent to what one would expect from a reasonable person under the circumstances?
A. Due diligence
B. Separation of duties
C. Due care
D. Least privilege
C. Due care
Brenda’s organization recently completed the acquisition of a competitor firm. Which one of the following tasks would be LEAST likely to be part of the organizational processes addressed during the acquisition?
A. Consolidation of security functions
B. Integration of security tools
C. Protection of intellectual property
D. Documentation of security policies
C. Protection of intellectual property
Kelly believes that an employee engaged in the unauthorized use of computing resources for a side business. After consulting with management, she decides to launch an administrative investigation. What is the burden of proof that she must meet in this investigation?
A. Preponderance of the evidence
B. Beyond a reasonable doubt
C. Beyond the shadow of a doubt
D. There is no standard
D. There is no standard
Keenan Systems recently developed a new manufacturing process for microprocessors. The company wants to license the technology to other companies for use but wants to prevent unauthorized use of the technology. What type of intellectual property protection is best suited for this situation?
A. Patent
B. Trade secret
C. Copyright
D. Trademark
A. Patent
Which one of the following actions might be taken as part of a business continuity plan?
A. Restoring from backup tapes
B. Implementing RAID
C. Relocating to a cold site
D. Restarting business operations
B. Implementing RAID
When developing a business impact analysis, the team should first create a list of assets. What should happen next?
A. Identify vulnerabilities in each asset.
B. Determine the risks facing the asset.
C. Develop a value for each asset.
D. Identify threats facing each asset.
C. Develop a value for each asset.
Mike recently implemented an intrusion prevention system designed to block common network attacks from affecting his organization. What type of risk management strategy is Mike pursuing?
A. Risk acceptance
B. Risk avoidance
C. Risk mitigation
D. Risk transference
C. Risk mitigation
Laura has been asked to perform an SCA. What type of organization is she most likely in?
A. Higher education
B. Banking
C. Government
D. Healthcare
C. Government
Carl is a federal agent investigating a computer crime case. He identified an attacker who engaged in illegal conduct and wants to pursue a case against that individual that will lead to imprisonment. What standard of proof must Carl meet?
A. Beyond the shadow of a doubt
B. Preponderance of the evidence
C. Beyond a reasonable doubt
D. Majority of the evidence
C. Beyond a reasonable doubt
- The International Information Systems Security Certification Consortium uses the logo shown here to represent itself online and in a variety of forums. What type of intellectual property protection may it use to protect its rights in this logo?
A. Copyright
B. Patent
C. Trade secret
D. Trademark
D. Trademark
Mary is helping a computer user who sees the following message appear on his computer screen. What type of attack has occurred?
A. Availability
B. Confidentiality
C. Disclosure
D. Distributed
A. Availability
Which one of the following organizations would not be automatically subject to the privacy and security requirements of HIPAA if they engage in electronic transactions?
A. Healthcare provider
B. Health and fitness application developer
C. Health information clearinghouse
D. Health insurance plan
B. Health and fitness application developer
John’s network begins to experience symptoms of slowness. Upon investigation, he realizes that the network is being bombarded with TCP SYN packets and believes that his organization is the victim of a denial-of-service attack. What principle of information security is being violated?
A. Availability
B. Integrity
C. Confidentiality
D. Denial
A. Availability
Renee is designing the long-term security plan for her organization and has a three- to five-year planning horizon. Her primary goal is to align the security function with the broader plans and objectives of the business. What type of plan is she developing?
A. Operational
B. Tactical
C. Summary
D. Strategic
D. Strategic
Gina is working to protect a logo that her company will use for a new product they are launching. She has questions about the intellectual property protection process for this logo. What U.S. government agency would be best able to answer her questions?
A. USPTO
B. Library of Congress
C. NSA
D. NIST
A. USPTO
The Acme Widgets Company is putting new controls in place for its accounting department. Management is concerned that a rogue accountant may be able to create a new false vendor and then issue checks to that vendor as payment for services that were never rendered. What security control can best help prevent this situation?
A. Mandatory vacation
B. Separation of duties
C. Defense in depth
D. Job rotation
B. Separation of duties
Which one of the following categories of organizations is most likely to be covered by the provisions of FISMA?
A. Banks
B. Defense contractors
C. School districts
D. Hospitals
B. Defense contractors
Robert is responsible for securing systems used to process credit card information. What security control framework should guide his actions?
A. HIPAA
B. PCI DSS
C. SOX
D. GLBA
B. PCI DSS
Which one of the following individuals is normally responsible for fulfilling the operational data protection responsibilities delegated by senior management, such as validating data integrity, testing backups, and managing security policies?
A. Data custodian
B. Data owner
C. User
D. Auditor
A. Data custodian
Alan works for an e-commerce company that recently had some content stolen by another website and republished without permission. What type of intellectual property protection would best preserve Alan’s company’s rights?
A. Trade secret
B. Copyright
C. Trademark
D. Patent
B. Copyright
Florian receives a flyer from a U.S. federal government agency announcing that a new administrative law will affect his business operations. Where should he go to find the text of the law?
A. United States Code
B. Supreme Court rulings
C. Code of Federal Regulations
D. Compendium of Laws
C. Code of Federal Regulations
Tom enables an application firewall provided by his cloud infrastructure as a service provider that is designed to block many types of application attacks. When viewed from a risk management perspective, what metric is Tom attempting to lower by implementing this countermeasure?
A. Impact
B. RPO
C. MTO
D. Likelihood
D. Likelihood
Which one of the following individuals would be the most effective organizational owner for an information security program?
A. CISSP-certified analyst
B. Chief information officer (CIO)
C. Manager of network security
D. President and CEO
B. Chief information officer (CIO)
What important function do senior managers normally fill on a business continuity planning team?
A. Arbitrating disputes about criticality
B. Evaluating the legal environment
C. Training staff
D. Designing failure controls
A. Arbitrating disputes about criticality
You are the CISO for a major hospital system and are preparing to sign a contract with a software as a service (SaaS) email vendor and want to perform a control assessment to ensure that its business continuity planning measures are reasonable. What type of audit might you request to meet this goal?
A. SOC 1
B. FISMA
C. PCI DSS
D. SOC 2
D. SOC 2
Gary is analyzing a security incident and, during his investigation, encounters a user who denies having performed an action that Gary believes he did perform. What type of threat has taken place under the STRIDE model?
A. Repudiation
B. Information disclosure
C. Tampering
D. Elevation of privilege
A. Repudiation
Beth is the security administrator for a public school district. She is implementing a new student information system and is testing the code to ensure that students are not able to alter their own grades. What principle of information security is Beth enforcing?
A. Integrity
B. Availability
C. Confidentiality
D. Denial
A. Integrity
Which one of the following issues is not normally addressed in a service-level agreement (SLA)?
A. Confidentiality of customer information
B. Failover time
C. Uptime
D. Maximum consecutive downtime
A. Confidentiality of customer information
Joan is seeking to protect a piece of computer software that she developed under intellectual property law. Which one of the following avenues of protection would not apply to a piece of software?
A. Trademark
B. Copyright
C. Patent
D. Trade secret
A. Trademark
Juniper Content is a web content development company with 40 employees located in two offices: one in New York and a smaller office in the San Francisco Bay Area. Each office has a local area network protected by a perimeter firewall. The local area network (LAN) contains modern switch equipment connected to both wired and wireless networks. Each office has its own file server, and the information technology (IT) team runs software every hour to synchronize files between the two servers, distributing content between the offices. These servers are primarily used to store images and other files related to web content developed by the company. The team also uses a SaaS-based email and document collaboration solution for much of their work. You are the newly appointed IT manager for Juniper Content, and you are working to augment existing security controls to improve the organization’s security.
Users in the two offices would like to access each other’s file servers over the internet. What control would provide confidentiality for those communications?
A. Digital signatures
B. Virtual private network
C. Virtual LAN
D. Digital content management
B. Virtual private network
Juniper Content is a web content development company with 40 employees located in two offices: one in New York and a smaller office in the San Francisco Bay Area. Each office has a local area network protected by a perimeter firewall. The local area network (LAN) contains modern switch equipment connected to both wired and wireless networks. Each office has its own file server, and the information technology (IT) team runs software every hour to synchronize files between the two servers, distributing content between the offices. These servers are primarily used to store images and other files related to web content developed by the company. The team also uses a SaaS-based email and document collaboration solution for much of their work. You are the newly appointed IT manager for Juniper Content, and you are working to augment existing security controls to improve the organization’s security.
You are concerned about the availability of data stored on each office’s server. You would like to add technology that would enable continued access to files located on the server even if a hard drive in a server fails. What control allows you to add robustness without adding additional servers?
A. Server clustering
B. Load balancing
C. RAID
D. Scheduled backups
C. RAID
Juniper Content is a web content development company with 40 employees located in two offices: one in New York and a smaller office in the San Francisco Bay Area. Each office has a local area network protected by a perimeter firewall. The local area network (LAN) contains modern switch equipment connected to both wired and wireless networks. Each office has its own file server, and the information technology (IT) team runs software every hour to synchronize files between the two servers, distributing content between the offices. These servers are primarily used to store images and other files related to web content developed by the company. The team also uses a SaaS-based email and document collaboration solution for much of their work. You are the newly appointed IT manager for Juniper Content, and you are working to augment existing security controls to improve the organization’s security.
Finally, there are historical records stored on the server that are extremely important to the business and should never be modified. You would like to add an integrity control that allows you to verify on a periodic basis that the files were not modified. What control can you add?
A. Hashing
B. ACLs
C. Read-only attributes
D. Firewalls
A. Hashing
Beth is a human resources specialist preparing to assist in the termination of an employee. Which of the following is not typically part of a termination process?
A. An exit interview
B. Recovery of property
C. Account termination
D. Signing an NCA
D. Signing an NCA
Frances is reviewing her organization’s business continuity plan documentation for completeness. Which one of the following is not normally included in business continuity plan documentation?
A. Statement of accounts
B. Statement of importance
C. Statement of priorities
D. Statement of organizational responsibility
A. Statement of accounts
An accounting employee at Doolittle Industries was recently arrested for participation in an embezzlement scheme. The employee transferred money to a personal account and then shifted funds around between other accounts every day to disguise the fraud for months. Which one of the following controls might have best allowed the earlier detection of this fraud?
A. Separation of duties
B. Least privilege
C. Defense in depth
D. Mandatory vacation
D. Mandatory vacation
Jeff would like to adopt an industry-standard approach for assessing the processes his organization uses to manage risk. What maturity model would be most appropriate for his use?
A. CMM
B. SW-CMM
C. RMM
D. COBIT
C. RMM
Chris’ organization recently suffered an attack that rendered their website inaccessible to paying customers for several hours. Which information security goal was most directly impacted?
A. Confidentiality
B. Integrity
C. Availability
D. Denial
C. Availability
Yolanda is writing a document that will provide configuration information regarding the minimum level of security that every system in the organization must meet. What type of document is she preparing?
A. Policy
B. Baseline
C. Guideline
D. Procedure
B. Baseline
Who should receive initial business continuity plan training in an organization?
A. Senior executives
B. Those with specific business continuity roles
C. Everyone in the organization
D. First responders
C. Everyone in the organization
James is conducting a risk assessment for his organization and is attempting to assign an asset value to the servers in his data center. The organization’s primary concern is ensuring that it has sufficient funds available to rebuild the data center in the event it is damaged or destroyed. Which one of the following asset valuation methods would be most appropriate in this situation?
A. Purchase cost
B. Depreciated cost
C. Replacement cost
D. Opportunity cost
C. Replacement cost
Roger’s organization suffered a breach of customer credit card records. Under the terms of PCI DSS, what organization may choose to pursue an investigation of this matter?
A. FBI
B. Local law enforcement
C. Bank
D. PCI SSC
D. PCI SSC
Rick recently engaged critical employees in each of his organization’s business units to ask for their assistance with his security awareness program. They will be responsible for sharing security messages with their peers and answering questions about cybersecurity matters. What term best describes this relationship?
A. Security champion
B. Security expert
C. Gamification
D. Peer review
A. Security champion
Frank discovers a keylogger hidden on the laptop of his company’s chief executive officer. What information security principle is the keylogger most likely designed to disrupt?
A. Confidentiality
B. Integrity
C. Availability
D. Denial
A. Confidentiality
Elise is helping her organization prepare to evaluate and adopt a new cloud-based human resource management (HRM) system vendor. What would be the most appropriate minimum security standard for her to require of possible vendors?
A. Compliance with all laws and regulations
B. Handling information in the same manner the organization would
C. Elimination of all identified security risks
D. Compliance with the vendor’s own policies
B. Handling information in the same manner the organization would
The following graphic shows the NIST risk management framework with step 4
What is the missing step?
A. Assess security controls.
B. Determine control gaps.
C. Remediate control gaps.
D. Evaluate user activity.
A. Assess security controls.
HAL Systems recently decided to stop offering public NTP services because of a fear that its NTP servers would be used in amplification DDoS attacks. What type of risk management strategy did HAL pursue with respect to its NTP services?
A. Risk mitigation
B. Risk acceptance
C. Risk transference
D. Risk avoidance
D. Risk avoidance
Susan is working with the management team in her company to classify data in an attempt to apply extra security controls that will limit the likelihood of a data breach. What principle of information security is Susan trying to enforce?
A. Availability
B. Denial
C. Confidentiality
D. Integrity
C. Confidentiality
Which one of the following components should be included in an organization’s emergency response guidelines?
A. List of individuals who should be notified of an emergency incident
B. Long-term business continuity protocols
C. Activation procedures for the organization’s cold sites
D. Contact information for ordering equipment
A. List of individuals who should be notified of an emergency incident
Chas recently completed the development of his organization’s business continuity plan. Who is the ideal person to approve an organization’s business continuity plan?
A. Chief information officer
B. Chief executive officer
C. Chief information security officer
D. Chief operating officer
B. Chief executive officer
Which one of the following actions is not normally part of the project scope and planning phase of business continuity planning?
A. Structured analysis of the organization
B. Review of the legal and regulatory landscape
C. Creation of a BCP team
D. Documentation of the plan
D. Documentation of the plan
Gary is implementing a new website architecture that uses multiple small web servers behind a load balancer. What principle of information security is Gary seeking to enforce?
A. Denial
B. Confidentiality
C. Integrity
D. Availability
D. Availability
Becka recently signed a contract with an alternate data processing facility that will provide her company with space in the event of a disaster. The facility includes HVAC, power, and communications circuits but no hardware. What type of facility is Becka using?
A. Cold site
B. Warm site
C. Hot site
D. Mobile site
A. Cold site
Greg’s company recently experienced a significant data breach involving the personal data of many of their customers. Which breach laws should they review to ensure that they are taking appropriate action?
A. The breach laws in the state where they are headquartered.
B. The breach laws of states they do business in.
C. Only federal breach laws.
D. Breach laws only cover government agencies, not private businesses.
B. The breach laws of states they do business in.
Ben is seeking a control objective framework that is widely accepted around the world and focuses specifically on information security controls. Which one of the following frameworks would best meet his needs?
A. ITIL
B. ISO 27002
C. CMM
D. PMBOK Guide
B. ISO 27002
Matt works for a telecommunications firm and was approached by a federal agent seeking assistance with wiretapping one of Matt’s clients pursuant to a search warrant. Which one of the following laws requires that communications service providers cooperate with law enforcement requests?
A. ECPA
B. CALEA
C. Privacy Act
D. HITECH Act
B. CALEA
Every year, Gary receives privacy notices in the mail from financial institutions where he has accounts. What law requires the institutions to send Gary these notices?
A. FERPA
B. GLBA
C. HIPAA
D. HITECH
B. GLBA
Which one of the following agreements typically requires that a vendor not disclose confidential information learned during the scope of an engagement?
A. NCA
B. SLA
C. NDA
D. RTO
C. NDA
The (ISC)2 Code of Ethics applies to all CISSP holders. Which of the following is not one of the four mandatory canons of the code?
A. Protect society, the common good, the necessary public trust and confidence, and the infrastructure.
B. Disclose breaches of privacy, trust, and ethics.
C. Provide diligent and competent service to the principles.
D. Advance and protect the profession
B. Disclose breaches of privacy, trust, and ethics.
Which one of the following stakeholders is not typically included on a business continuity planning team?
A. Core business function leaders
B. Information technology staff
C. CEO
D. Support departments
C. CEO
Ben is designing a messaging system for a bank and would like to include a feature that allows the recipient of a message to prove to a third party that the message did indeed come from the purported originator. What goal is Ben trying to achieve?
A. Authentication
B. Authorization
C. Integrity
D. Nonrepudiation
D. Nonrepudiation
What principle of information security states that an organization should implement overlapping security controls whenever possible?
A. Least privilege
B. Separation of duties
C. Defense in depth
D. Security through obscurity
C. Defense in depth
Ryan is a CISSP-certified cybersecurity professional working in a nonprofit organization. Which of the following ethical obligations apply to his work? (Select all that apply.)
A. (ISC)2 Code of Ethics
B. Organizational code of ethics
C. Federal code of ethics
D. RFC 1087
A. (ISC)2 Code of Ethics
B. Organizational code of ethics
Ben is responsible for the security of payment card information stored in a database. Policy directs that he remove the information from the database, but he cannot do this for operational reasons. He obtained an exception to policy and is seeking an appropriate compensating control to mitigate the risk. What would be his best option?
A. Purchasing insurance
B. Encrypting the database contents
C. Removing the data
D. Objecting to the exception
B. Encrypting the database contents
The Domer Industries risk assessment team recently conducted a qualitative risk assessment and developed a matrix similar to the one shown here. Which quadrant contains the risks that require the most immediate attention?
A. I
B. II
C. III
D. IV
A. I
Tom is planning to terminate an employee this afternoon for fraud and expects that the meeting will be somewhat hostile. He is coordinating the meeting with human resources and wants to protect the company against damage. Which one of the following steps is most important to coordinate in time with the termination meeting?
A. Informing other employees of the termination
B. Retrieving the employee’s photo ID
C. Calculating the final paycheck
D. Revoking electronic access rights
D. Revoking electronic access rights
Rolando is a risk manager with a large-scale enterprise. The firm recently evaluated the risk of California mudslides on its operations in the region and determined that the cost of responding outweighed the benefits of any controls it could implement. The company chose to take no action at this time. What risk management strategy did Rolando’s organization pursue?
A. Risk avoidance
B. Risk mitigation
C. Risk transference
D. Risk acceptance
D. Risk acceptance
Helen is the owner of a U.S. website that provides information for middle and high school students preparing for exams. She is writing the site’s privacy policy and would like to ensure that it complies with the provisions of the Children’s Online Privacy Protection Act (COPPA). What is the cutoff age below which parents must give consent in advance of the collection of personal information from their children under COPPA?
A. 13
B. 15
C. 17
D. 18
A. 13
8Tom is considering locating a business in the downtown area of Miami, Florida. He consults the FEMA flood plain map for the region, shown here, and determines that the area he is considering lies within a 100-year flood plain. What is the ARO of a flood in this area?
A. 100
B. 1
C. 0.1
D. 0.01
D. 0.01
You discover that a user on your network has been using the Wireshark tool, as shown here. Further investigation revealed that he was using it for illicit purposes. What pillar of information security has most likely been violated?
A. Integrity
B. Denial
C. Availability
D. Confidentiality
D. Confidentiality
Alan is performing threat modeling and decides that it would be useful to decompose the system into the core elements shown here. What tool is he using?
A. Vulnerability assessment
B. Fuzzing
C. Reduction analysis
D. Data modeling
C. Reduction analysis
Craig is selecting the site for a new data center and must choose a location somewhere within the United States. He obtained the earthquake risk map shown here from the United States Geological Survey. Which of the following would be the safest location to build his facility if he were primarily concerned with earthquake risk?
A. New York
B. North Carolina
C. Indiana
D. Florida
D. Florida
Which type of business impact assessment tool is most appropriate when attempting to evaluate the impact of a failure on customer confidence?
A. Quantitative
B. Qualitative
C. Annualized loss expectancy
D. Reduction
B. Qualitative
Ryan is a security risk analyst for an insurance company. He is currently examining a scenario in which a malicious hacker might use a SQL injection attack to deface a web server due to a missing patch in the company’s web application. In this scenario, what is the threat?
A. Unpatched web application
B. Web defacement
C. Malicious hacker
D. Operating system
C. Malicious hacker
scenario:
Henry is the risk manager for Atwood Landing, a resort community in the midwestern United States. The resort’s main data center is located in northern Indiana in an area that is prone to tornados. Henry recently undertook a replacement cost analysis and determined that rebuilding and reconfiguring the data center would cost $10 million.
Henry consulted with tornado experts, data center specialists, and structural engineers. Together, they determined that a typical tornado would cause approximately $5 million of damage to the facility. The meteorologists determined that Atwood’s facility lies in an area where they are likely to experience a tornado once every 200 years.
Based upon the information in this scenario, what is the exposure factor for the effect of a tornado on Atwood Landing’s data center?
A. 10 percent
B. 25 percent
C. 50 percent
D. 75 percent
C. 50 percent
scenario:
Henry is the risk manager for Atwood Landing, a resort community in the midwestern United States. The resort’s main data center is located in northern Indiana in an area that is prone to tornados. Henry recently undertook a replacement cost analysis and determined that rebuilding and reconfiguring the data center would cost $10 million.
Henry consulted with tornado experts, data center specialists, and structural engineers. Together, they determined that a typical tornado would cause approximately $5 million of damage to the facility. The meteorologists determined that Atwood’s facility lies in an area where they are likely to experience a tornado once every 200 years.
Based upon the information in this scenario, what is the annualized rate of occurrence for a tornado at Atwood Landing’s data center?
A. 0.0025
B. 0.005
C. 0.01
D. 0.015
B. 0.005
scenario:
Henry is the risk manager for Atwood Landing, a resort community in the midwestern United States. The resort’s main data center is located in northern Indiana in an area that is prone to tornados. Henry recently undertook a replacement cost analysis and determined that rebuilding and reconfiguring the data center would cost $10 million.
Henry consulted with tornado experts, data center specialists, and structural engineers. Together, they determined that a typical tornado would cause approximately $5 million of damage to the facility. The meteorologists determined that Atwood’s facility lies in an area where they are likely to experience a tornado once every 200 years.
Based upon the information in this scenario, what is the annualized loss expectancy for a tornado at Atwood Landing’s data center?
A. $25,000
B. $50,000
C. $250,000
D. $500,000
A. $25,000
John is analyzing an attack against his company in which the attacker found comments embedded in HTML code that provided the clues needed to exploit a software vulnerability. Using the STRIDE model, what type of attack did he uncover?
A. Spoofing
B. Repudiation
C. Information disclosure
D. Elevation of privilege
C. Information disclosure
Chris is worried that the laptops that his organization has recently acquired were modified by a third party to include keyloggers before they were delivered. Where should he focus his efforts to prevent this?
A. His supply chain
B. His vendor contracts
C. His post-purchase build process
D. The original equipment manufacturer (OEM)
A. His supply chain
In her role as a developer for an online bank, Lisa is required to submit her code for testing and review. After it passes through this process and it is approved, another employee moves the code to the production environment. What security management does this process describe?
A. Regression testing
B. Code review
C. Change management
D. Fuzz testing
C. Change management
After completing the first year of his security awareness program, Charles reviews the data about how many staff completed training compared to how many were assigned the training to determine whether he hit the 95 percent completion rate he was aiming for. What is this type of measure called?
A. A KPI
B. A metric
C. An awareness control
D. A return on investment rate
A. A KPI
Which of the following is not typically included in a prehire screening process?
A. A drug test
B. A background check
C. Social media review
D. Fitness evaluation
D. Fitness evaluation
Which of the following would normally be considered a supply chain risk? (Select all that apply.)
A. Adversary tampering with hardware prior while being shipped to the end customer
B. Adversary hacking into a web server run by the organization in an IaaS environment
C. Adversary using social engineering to compromise an employee of a SaaS vendor to gain access to customer accounts
D. Adversary conducting a denial-of-service attack using a botnet
100. Match the following numbered laws or industry standards to their lettered
A. Adversary tampering with hardware prior while being shipped to the end customer
C. Adversary using social engineering to compromise an employee of a SaaS vendor to gain access to customer accounts
Match the Laws and Industry standards to their description.
Laws and industry standards
1. GLBA
2. PCI DSS
3. HIPAA
4. SOX
Descriptions
A. A U.S. law that requires covered financial institutions to provide their customers with a privacy notice on a yearly basis
B. A U.S. law that requires internal controls assessments, including IT transaction flows for publicly traded companies
C. An industry standard that covers organizations that handle credit cards
D. A U.S. law that provides data privacy and security requirements for medical information
1-A
2-C
3-D
4-B
“Confidentiality, integrity, and availability are typically viewed as the primary goals and objectives of a security infrastructure. Which of the following is not considered a violation of confidentiality?
A. Stealing passwords using a keystroke logging tool
B. Eavesdropping on wireless network communications
C. Hardware destruction caused by arson
D. Social engineering that tricks a user into providing personal information to a false website”
C. Hardware destruction caused by arson
Security governance requires a clear understanding of the objectives of the organization as the core concepts of security. Which of the following contains the primary goals and objectives of security?
A. A network’s border perimeter
B. The CIA Triad
C. AAA services
D. Ensuring that subject activities are recorded
B. The CIA Triad
James recently discovered an attack taking place against his organization that prevented employees from accessing critical records. What element of the CIA Triad was violated?
A. Identification
B. Availability
C. Encryption
D. Layering
B. Availability
Optimally, security governance is performed by a board of directors, but smaller organizations may simply have the CEO or CISO perform the activities of security governance. Which of the following is true about security governance?
A. Security governance ensures that the requested activity or access to an object is possible given the rights and privileges assigned to the authenticated identity.
B. Security governance is used for efficiency. Similar elements are put into groups, classes, or roles that are assigned security controls, restrictions, or permissions as a collective.
C. Security governance is a documented set of best IT security practices that prescribes goals and requirements for security controls and encourages the mapping of IT security ideals to business objectives.
D. Security governance seeks to compare the security processes and infrastructure used within the organization with knowledge and insight obtained from external sources.
D. Security governance seeks to compare the security processes and infrastructure used within the organization with knowledge and insight obtained from external sources.
You have been tasked with crafting a long-term security plan that is fairly stable. It needs to define the organization’s security purpose. It also needs to define the security function and align it to the goals, mission, and objectives of the organization. What are you being asked to create?
A. Tactical plan
B. Operational plan
C. Strategic plan
D. Rollback plan
C. Strategic plan
Annaliese’s organization is undergoing a period of increased business activity where they are conducting a large number of mergers and acquisitions. She is concerned about the risks associated with those activities. Which of the following are example of those risks? (Choose all that apply.)
A. Inappropriate information disclosure
B. Increased worker compliance
C. Data loss
D. Downtime
E. Additional insight into the motivations of inside attackers
F. Failure to achieve sufficient return on investment (ROI)
A. Inappropriate information disclosure
C. Data loss
D. Downtime
F. Failure to achieve sufficient return on investment (ROI)
Which security framework was initially crafted by a government for domestic use but is now an international standard, which is a set of recommended best practices for optimization of IT services to support business growth, transformation, and change; which focuses on understanding how IT and security need to be integrated with and aligned to the objectives of an organization; and which is often used as a starting point for the crafting of a customized IT security solution within an established infrastructure?
A. ITIL
B. ISO 27000
C. CIS
D. CSF
A. ITIL
A security role is the part an individual plays in the overall scheme of security implementation and administration within an organization. What is the security role that has the functional responsibility for security, including writing the security policy and implementing it?
A. Senior management
B. Security professional
C. Custodian
D. Auditor
B. Security professional
Control Objectives for Information and Related Technology (COBIT) is a documented set of best IT security practices crafted by the Information Systems Audit and Control Association (ISACA). It prescribes goals and requirements for security controls and encourages the mapping of IT security ideals to business objectives. COBIT is based on six key principles for governance and management of enterprise IT. Which of the following are among these key principles? (Choose all that apply.)
A. Holistic Approach
B. End-to-End Governance System
C. Provide Stakeholder Value
D. Maintaining Authenticity and Accountability
E. Dynamic Governance System
A. Holistic Approach
B. End-to-End Governance System
C. Provide Stakeholder Value
E. Dynamic Governance System
In today’s business environment, prudence is mandatory. Showing due diligence and due care is the only way to disprove negligence in an occurrence of loss. Which of the following are true statements? (Choose all that apply.)
A. Due diligence is establishing a plan, policy, and process to protect the interests of an organization.
B. Due care is developing a formalized security structure containing a security policy, standards, baselines, guidelines, and procedures.
C. Due diligence is the continued application of a security structure onto the IT infrastructure of an organization.
D. Due care is practicing the individual activities that maintain the security effort.
E. Due care is knowing what should be done and planning for it.
F. Due diligence is doing the right action at the right time.
A. Due diligence is establishing a plan, policy, and process to protect the interests of an organization.
D. Due care is practicing the individual activities that maintain the security effort.
Security documentation is an essential element of a successful security program. Understanding the components is an early step in crafting the security documentation. Match the following components to their respective definitions.
- Policy
- Standard
- Procedure
- Guideline
- A detailed, step-by-step how-to document that describes the exact actions necessary to implement a specific security mechanism, control, or solution.
- A document that defines the scope of security needed by the organization and discusses the assets that require protection and the extent to which security solutions should go to provide the necessary protection.
- A minimum level of security that every system throughout the organization must meet.
- Offers recommendations on how security requirements are implemented and serves as an operational guide for both security professionals and users.
- Defines compulsory requirements for the homogenous use of hardware, software, technology, and security controls.
A. 1 – I; 2 – IV; 3 – II; 4 - V
B. 1 – II; 2 – V; 3 – I; 4 - IV
C. 1 – IV; 2 – II; 3 – V; 4 - I
D. 1 – V; 2 – I; 3 – IV; 4 - III
B. 1 – II; 2 – V; 3 – I; 4 - IV
STRIDE is often used in relation to assessing threats against applications or operating systems. When confidential documents are exposed to unauthorized entities, which element of STRIDE is used to reference that violation?
A. S
B. T
C. R
D. I
E. D
F. E
D. I
A development team is working on a new project. During the early stages of systems development, the team considers the vulnerabilities, threats, and risks of their solution and integrates protections against unwanted outcomes. What concept of threat modeling is this?
A. Threat hunting
B. Proactive approach
C. Qualitative approach
D. Adversarial approach
B. Proactive approach
Supply chain risk management (SCRM) is a means to ensure that all the vendors or links in the supply chain are reliable, trustworthy, reputable organizations. Which of the following are true statements? (Choose all that apply.)
A. Each link in the supply chain should be responsible and accountable to the next link in the chain.
B. Commodity vendors are unlikely to have mined their own metals or processed the oil for plastics or etched the silicon of their chips.
C. If the final product derived from a supply chain meets expectations and functional requirements, it is assured to not have unauthorized elements.
D. Failing to properly secure a supply chain can result in flawed or less reliable products, or even embedded listing or remote control mechanisms.
A. Each link in the supply chain should be responsible and accountable to the next link in the chain.
B. Commodity vendors are unlikely to have mined their own metals or processed the oil for plastics or etched the silicon of their chips.
D. Failing to properly secure a supply chain can result in flawed or less reliable products, or even embedded listing or remote control mechanisms.
Your organization has become concerned with risks associated with the supply chain of their retail products. Fortunately, all coding for their custom product is done in-house. However, a thorough audit of a recently completed product revealed that a listening mechanism was integrated into the solution somewhere along the supply chain. The identified risk is associated with what product component in this scenario?
A. Software
B. Services
C. Data
D. Hardware
C. Data
Cathy’s employer has asked her to perform a documentation review of the policies and procedures of a third-party supplier. This supplier is just the final link in a software supply chain. Their components are being used as a key element of an online service operated for high-end customers. Cathy discovers several serious issues with the vendor, such as failing to require encryption for all communications and not requiring multifactor authentication on management interfaces. What should Cathy do in response to this finding?
A. Write up a report and submit it to the CIO.
B. Void the ATO of the vendor.
C. Require that the vendor review their terms and conditions.
D. Have the vendor sign an NDA.
B. Void the ATO of the vendor.
Whenever an organization works with a third party, its supply chain risk management (SCRM) processes should be applied. One of the common requirements is the establishment of minimum security requirements of the third party. What should these requirements be based on?
A. Existing security policy
B. Third-party audit
C. On-site assessment
D. Vulnerability scan results
A. Existing security policy
It’s common to pair threats with vulnerabilities to identify threats that can exploit assets and represent significant risks to the organization. An ultimate goal of threat modeling is to prioritize the potential threats against an organization’s valuable assets. Which of the following is a risk-centric threat-modeling approach that aims at selecting or developing countermeasures in relation to the value of the assets to be protected?
A. VAST
B. SD3+C
C. PASTA
D. STRIDE
C. PASTA
The next step after threat modeling is reduction analysis. Reduction analysis is also known as decomposing the application, system, or environment. The purpose of this task is to gain a greater understanding of the logic of the product, its internal components, as well as its interactions with external elements. Which of the following are key components to identify when performing decomposition? (Choose all that apply.)
A. Patch or update versions
B. Trust boundaries
C. Dataflow paths
D. Open vs. closed source code use
E. Input points
F. Privileged operations
G. Details about security stance and approach
B. Trust boundaries
C. Dataflow paths
E. Input points
F. Privileged operations
G. Details about security stance and approach
Defense in depth is simply the use of multiple controls in a series. No one control can protect against all possible threats. Using a multilayered solution allows for numerous, different controls to guard against whatever threats come to pass. Which of the following are terms that relate to or are based on defense in depth? (Choose all that apply.)
A. Layering
B. Classifications
C. Zones
D. Realms
E. Compartments
F. Silos
G. Segmentations
H. Lattice structure
I. Protection rings
A. Layering
B. Classifications
C. Zones
D. Realms
E. Compartments
F. Silos
G. Segmentations
H. Lattice structure
I. Protection rings
Confidentiality is the principle that objects are not disclosed to unauthorized subjects. Integrity is the principle that objects retain their veracity and are intentionally modified only by authorized subjects. Availability is the principle that authorized subjects are granted timely and uninterrupted access to objects.As a group what is this commonly known as?
CIA Triad
__________ is composed of identification, authentication, authorization, auditing, and accountability?
AAA Services
_________ is the process by which a subject professes an identity and accountability is initiated.
Identification
__________ must provide an identity to a system to start the process of authentication, authorization, and accountability.
A subject
___________ is the process of verifying or testing that a claimed identity is valid. Authentication requires information from the subject that must exactly correspond to the identity indicated.
Authentication
__________ is the programmatic means by which subjects are held accountable for their actions while authenticated on a system through the documentation or recording of subject activities.
Auditing
Security can be maintained only if subjects are held accountable for their actions.What is the term used for this?
Accountability
______________ ensures that the subject of an activity or event cannot deny that the event occurred. It prevents a subject from claiming not to have sent a message, not to have performed an action, or not to have been the cause of an event.
Nonrepudiation
___________ is used to collect similar elements into groups, classes, or roles that are assigned security controls, restrictions, or permissions as a collective. It adds efficiency to carrying out a security plan.
Abstraction
Preventing data from being discovered or accessed by a subject. It is often a key element in security controls as well as in programming.
What does this define?
Data hiding
_____________ is the line of intersection between any two areas, subnets, or environments that have different security requirements or needs.
Security boundary
_____________ is the collection of practices related to supporting, defining, and directing the security efforts of an organization.
Security governance
______________ is the system of external entity oversight that may be mandated by law, regulation, industry standards, contractual obligation, or licensing requirements. The actual method of governance may vary, but it generally involves an outside investigator or auditor.
Third-party governance
_________________ is the process of reading the exchanged materials and verifying them against standards and expectations. In many situations, especially related to government or military agencies or contractors, failing to provide sufficient documentation to meet requirements of third-party governance can result in a loss of or a voiding of authorization to operate (ATO).
Documentation review
_____________ is planning ensures proper creation, implementation, and enforcement of a security policy. ________________ aligns the security functions to the strategy, goals, mission, and objectives of the organization. This includes designing and implementing security based on business cases, budget restrictions, or scarcity of resources.
Security management
Security management planning
___________ is usually a documented argument or stated position in order to define a need to make a decision or take some form of action.
A business case
____________ demonstrates a business-specific need to alter an existing process or choose an approach to a business task.
A business case
_________________ is based on three types of plans: strategic, tactical, and operational.
Security management
____________ is a long-term plan that is fairly stable. It defines the organization’s goals, mission, and objectives.
Strategic plan
__________ is a midterm plan developed to provide more details on accomplishing the goals set forth in the strategic plan. Operational plans are short-term and highly detailed plans based on the strategic and tactical plans.
The tactical plan
List the elements of a security policy that is formalized. (there are 5)
Security policy
standards,
baselines,
guidelines,
procedures.
Security governance needs to address every aspect of an organization. What are those areas? (there are 3)
organizational processes of acquisitions, divestitures,
governance committees.
List the Key Security Roles (there are 5)
senior manager,
security professional,
asset owner,
custodian,
user,
auditor.
______________ is a security concept infrastructure used to organize the complex security solutions of companies.
Control Objectives for Information and Related Technology (COBIT)
____________ is establishing a plan, policy, and process to protect the interests of an organization.
Due diligence
____________ can be performed as a proactive measure during design and development or as a reactive measure once a product has been deployed.
Threat modeling
____________ is a means to ensure that all the vendors or links in the supply chain are reliable, trustworthy, reputable organizations that disclose their practices and security requirements to their business partners.
Supply Chain Risk Management (SCRM)
_________ is knowing what should be done and planning for it; due care is doing the right action at the right time.
Due diligence
STRIDE, PASTA, VAST, diagramming, reduction/decomposing, and DREAD.
Are key concepts of what?
Threat modeling
_____________ includes evaluating risks associated with hardware, software, and services; performing third-party assessment and monitoring; establishing minimum security requirements; and enforcing service-level requirements.
SCRM (Supply Chain Risk Management)
_____________ is practicing the individual activities that maintain the due diligence effort.
Due care
_____________ is the security process where potential threats are identified, categorized, and analyzed.
Threat modeling
Which factor is the most important item when it comes to ensuring security is successful in an organization?
A. Senior management support
B. Effective controls and implementation methods
C. Updated and relevant security policies and procedures
D. Security awareness by all employees
A. Senior management support
(scenario) Todd is a new security manager and has the responsibility of implementing personnel security controls within the financial institution where he works. Todd knows that many employees do not fully understand how their actions can put the institution at risk; thus, he needs to develop a security awareness program. He has determined that the bank tellers need to get a supervisory override when customers have checks over $3,500 that need to be cashed. He has also uncovered that some employees have stayed in their specific positions within the company for over three years. Todd would like to be able to investigate some of the activities of bank personnel to see if any fraudulent activities have taken place. Todd is already ensuring that two people must use separate keys at the same time to open the bank vault.
Todd documents several fraud opportunities that the employees have at the financial institution so that management understands these risks and allocates the funds and resources for his suggested solutions. Which of the following best describes the control Todd should put into place to be able to carry out fraudulent investigation activity?
A. Separation of duties
B. Job rotation
C. Mandatory vacations
D. Split knowledge
C. Mandatory vacations
(scenario) Todd is a new security manager and has the responsibility of implementing personnel security controls within the financial institution where he works. Todd knows that many employees do not fully understand how their actions can put the institution at risk; thus, he needs to develop a security awareness program. He has determined that the bank tellers need to get a supervisory override when customers have checks over $3,500 that need to be cashed. He has also uncovered that some employees have stayed in their specific positions within the company for over three years. Todd would like to be able to investigate some of the activities of bank personnel to see if any fraudulent activities have taken place. Todd is already ensuring that two people must use separate keys at the same time to open the bank vault.
If the financial institution wants to ensure that fraud cannot happen successfully unless collusion occurs, what should Todd put into place?
A. Separation of duties
B. Job rotation
C. Social engineering
D. Split knowledge
A. Separation of duties
(scenario) Todd is a new security manager and has the responsibility of implementing personnel security controls within the financial institution where he works. Todd knows that many employees do not fully understand how their actions can put the institution at risk; thus, he needs to develop a security awareness program. He has determined that the bank tellers need to get a supervisory override when customers have checks over $3,500 that need to be cashed. He has also uncovered that some employees have stayed in their specific positions within the company for over three years. Todd would like to be able to investigate some of the activities of bank personnel to see if any fraudulent activities have taken place. Todd is already ensuring that two people must use separate keys at the same time to open the bank vault.
Todd wants to be able to prevent fraud from taking place, but he knows that some people may get around the types of controls he puts into place. In those situations he wants to be able to identify when an employee is doing something suspicious. Which of the following incorrectly describes what Todd is implementing in this scenario and what those specific controls provide?
A. Separation of duties, by ensuring that a supervisor must approve the cashing of a check over $3,500. This is an administrative control that provides preventive protection for Todd’s organization.
B. Job rotation, by ensuring that one employee only stays in one position for up to three months at a time. This is an administrative control that provides detective capabilities.
C. Security awareness training, which can also emphasize enforcement.
D. Dual control, which is an administrative detective control that can ensure that two employees must carry out a task simultaneously.
D. Dual control
Which term denotes a potential cause of an unwanted incident, which may result in harm to a system or organization?
A. Vulnerability
B. Exploit
C. Threat
D. Attacker
C. Threat
A CISSP candidate signs an ethics statement prior to taking the CISSP examination. Which of the following would be a violation of the (ISC)2 Code of Ethics that could cause the candidate to lose his or her certification?
A. E-mailing information or comments about the exam to other CISSP candidates
B. Submitting comments on the questions of the exam to (ISC)2
C. Submitting comments to the board of directors regarding the test and content of the class
D. Conducting a presentation about the CISSP certification and what the certification means
A. E-mailing information or comments about the exam to other CISSP candidates
You want to ensure that your organization’s finance department, and only the finance department, has access to the organization’s bank statements. Which of the security properties would be most important?
A. Confidentiality
B. Integrity
C. Availability
D. Both A and C
D. Both A and C
You want to make use of the OpenOffice productivity software suite mandatory across your organization. In what type of document would you codify this?
A. Policy
B. Standard
C. Guideline
D. Procedure
B. Standard
For an enterprise security architecture to be successful in its development and implementation, which of the following items is not essential?
A. Strategic alignment
B. Security guidelines
C. Business enablement
D. Process enhancement
B. Security guidelines
Which of the following practices is likeliest to mitigate risks when considering a candidate for hiring?
A. Security awareness training
B. Nondisclosure agreement (NDA)
C. Background checks
D. Organizational ethics
C. Background checks
Which of the following best describes the relationship between COBIT and ITIL?
A. COBIT is a model for IT governance, whereas ITIL is a model for corporate governance.
B. COBIT provides a corporate governance roadmap, whereas ITIL is customizable framework for IT service management.
C. COBIT defines IT goals, whereas ITIL provides the process-level steps on how to achieve them.
D. COBIT Provides a framework for achieving business goals, whereas ITIL defines a framework for achieving IT service-level goals.
C. COBIT defines IT goals, whereas ITIL provides the process-level steps on how to achieve them.
Global organizations that transfer data across international boundaries must abide by guidelines and transborder information flow rules developed by an international organization that helps different governments come together and tackle the economic, social, and governance challenges of a globalized economy. What organization is this?
A. Committee of Sponsoring Organizations of the Treadway Commission.
B. The Organization for Economic Co-operation and Development.
C. COBIT
D. International Organization for Standardization.
B. The Organization for Economic Co-operation and Development.
Steve, a department manager, has been asked to join a committee that is responsible for defining an acceptable level of risk for the organization, reviewing risk assessment and audit reports, and approving significant changes to security policies and programs. What committee is he joining?
A. Security policy committee
B. Audit committee
C. Risk management committee
D. Security steering committee
D. Security steering committee
Which of the following is not included in a risk assessment?
A. Discontinuing activities that introduce risk.
B. Identifying assets.
C. Identifying threats.
D. Analyzing risk in order of cost or criticality.
A. Discontinuing activities that introduce risk.
The integrity of data is not related to which of the following?
A. Unauthorized manipulation or changes to data
B. The modification of data without authorization
C. The intentional or accidental substitution of data
D. The extraction of data to share with unauthorized entities.
A. Unauthorized manipulation or changes to data
As the company’s CISC, George needs to demonstrate to the board of directors the necessity of a strong risk management program. Which of the following should George use to calculate the company’s residual risk?
A. threats x vulnerability x asset value = residual risk
B. SLE x frequency = ALE, which is equal to residual risk
C. (threats x vulnerability x asset value) x controls gap = residual risk
D. (total risk - asset value) x countermeasures - residual risk
C. (threats x vulnerability x asset value) x controls gap = residual risk
Which of the following is not a characteristic of a company with a security governance program in place?
A. Board members are updated quarterly on the company’s state of security.
B. All security activity takes place within the security department.
C. Security products, services and consultants are deployed in an informed manner,
D. The organization has established metrics and goals for improving security.
B. All security activity takes place within the security department.
ISO/IEC 27002 is part of a growing family of ISO/IEC information security management systems (ISMS) standards. It comprises information security standards published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Which of the following provides an incorrect mapping of the individual standards that make up this family of standards?
A. ISO/IEC 20072: Code of practice for information security management.
B.ISO/IEC 20073: Guideline for ISMS implementation
C. ISO/IEC 20074: Guideline for information security management measurement and metrics framework.
D. ISO/IEC 20075” Guideline for bodies providing audit and certification of information security management systems.
D. ISO/IEC 20075” Guideline for bodies providing audit and certification of information security management systems.
Sam is the security manager of a company that makes most of its revenue from its intellectual property. Sam has implemented a process improvement program that has been certified by an outside entity. His company received a Level 2 during an appraisal process, and he is putting in steps to increase this to a Level 3. A year ago when Sam carried out a risk analysis, he determined that the company was at too much of a risk when it came to potentially losing trade secrets. The countermeasure his team implemented reduced this risk, and Sam determined that the annualized loos expectancy of the risk of a trade secret being stolen once in a hundred-year period is now $400.
Which of the following is the criteria Sam’s company was most likely certified under?
A. SABSA
B. Capability Maturity Model Integration
C. Information Technology Infrastructure Library
D. Prince2
B. Capability Maturity Model Integration
Sam is the security manager of a company that makes most of its revenue from its intellectual property. Sam has implemented a process improvement program that has been certified by an outside entity. His company received a Level 2 during an appraisal process, and he is putting in steps to increase this to a Level 3. A year ago when Sam carried out a risk analysis, he determined that the company was at too much of a risk when it came to potentially losing trade secrets. The countermeasure his team implemented reduced this risk, and Sam determined that the annualized loos expectancy of the risk of a trade secret being stolen once in a hundred-year period is now $400.
What is the associated single loss expectancy value in this scenario?
A. 65,000
B. 400,000
C. 40,000
D. 4,000
C. 40,000
As his company’s business continuity coordinator, Matthew is responsible for helping recruit members to the business continuity planning (BCP) committee. Which of the following does not correctly describe this effort?
A. Committee members should be involved with the planning stages, as well as the testing and implementation stages.
B. The smaller the team, the better to keep meetings under control.
C. The business continuity coordinator should work with management to appoint committee members.
D. The team should consist of people from different departments across the company.
B. The smaller the team, the better to keep meetings under control.
A proper risk analysis has specific steps and objectives that it needs to accomplish, which of the following list these items.
A. Identify assets and their values, identify vulnerabilities and threats, quantify the probability and business impact of these potential threats; and provide inexpensive countermeasure recommendations.
B. Identify assets and their value to the organization, determine the likelihood that a threat exploits a vulnerability, determine the business impact of these potential threats; and provide an economic balance between the impact of the threat and the cost of the countermeasure.
C. Identify assets; identify vulnerabilities and threats; quantify the probability and business impact these potential threats; and provide economical countermeasure recommendations.
D. Identify assets, and their values; identify fraud and collusion, quantify the probability and business impact of these potential threats; and provide economical countermeasure recommendations.
