Chapter 2: Information Security Governance and Risk Management

Question 1

1. Who has the primary responsibility of determining the classification level for
information?
A. The functional manager
B. Senior management
C. The owner
D. The user

Answer 1

1. C. A company can have one specific data owner or different data owners who
   have been delegated the responsibility of protecting specific sets of data. One
   of the responsibilities that goes into protecting this information is properly
   classifying it.

Question 2

2. If different user groups with different security access levels need to access the
   same information, which of the following actions should management take?
   A. Decrease the security level on the information to ensure accessibility and
   usability of the information.
   B. Require specific written approval each time an individual needs to access
   the information.
   C. Increase the security controls on the information.
   D. Decrease the classification label on the information.

Answer 2

2. C. If data is going to be available to a wide range of people, more granular
   security should be implemented to ensure that only the necessary people access the data and that the operations they carry out are controlled. The security
   implemented can come in the form of authentication and authorization
   technologies, encryption, and specific access control mechanisms.

Question 3

3. What should management consider the most when classifying data?
   A. The type of employees, contractors, and customers who will be accessing
   the data
   B. Availability, integrity, and confidentiality
   C. Assessing the risk level and disabling countermeasures
   D. The access controls that will be protecting the data

Answer 3

3. B. The best answer to this question is B, because to properly classify data,
   the data owner must evaluate the availability, integrity, and confidentiality
   requirements of the data. Once this evaluation is done, it will dictate which
   employees, contractors, and users can access the data, which is expressed in
   answer A. This assessment will also help determine the controls that should
   be put into place.

Question 4

4. Who is ultimately responsible for making sure data is classified and protected?
A. Data owners
B. Users
C. Administrators
D. Management

Answer 4

4. D. The key to this question is the use of the word “ultimately.” Though
   management can delegate tasks to others, it is ultimately responsible for
   everything that takes place within a company. Therefore, it must continually
   ensure that data and resources are being properly protected.

Question 5

5. Which factor is the most important item when it comes to ensuring security is
   successful in an organization?
   A. Senior management support
   B. Effective controls and implementation methods
   C. Updated and relevant security policies and procedures
   D. Security awareness by all employees

Answer 5

5. A. Without senior management’s support, a security program will not receive
   the necessary attention, funds, resources, and enforcement capabilities.

Question 6

6. When is it acceptable to not take action on an identified risk?
   A. Never. Good security addresses and reduces all risks.
   B. When political issues prevent this type of risk from being addressed
   C. When the necessary countermeasure is complex.
   D. When the cost of the countermeasure outweighs the value of the asset and
   potential loss.

Answer 6

6. D. Companies may decide to live with specific risks they are faced with if the
   cost of trying to protect themselves would be greater than the potential loss
   if the threat were to become real. Countermeasures are usually complex to a
   degree, and there are almost always political issues surrounding different risks,
   but these are not reasons to not implement a countermeasure.

Question 7

7. Which is the most valuable technique when determining if a specific security
   control should be implemented?
   A. Risk analysis
   B. Cost/benefit analysis
   C. ALE results
   D. Identifying the vulnerabilities and threats causing the risk

Answer 7

7. B. Although the other answers may seem correct, B is the best answer here.
   This is because a risk analysis is performed to identify risks and come up with
   suggested countermeasures. The ALE tells the company how much it could
   lose if a specific threat became real. The ALE value will go into the cost/benefit
   analysis, but the ALE does not address the cost of the countermeasure and the
   benefit of a countermeasure. All the data captured in answers A, C, and D are
   inserted into a cost/benefit analysis.

Question 8

8. Which best describes the purpose of the ALE calculation?
   A. Quantifies the security level of the environment
   B. Estimates the loss possible for a countermeasure
   C. Quantifies the cost/benefit result
   D. Estimates the loss potential of a threat in a span of a year

Answer 8

8. D. The ALE calculation estimates the potential loss that can affect one asset
   from a specific threat within a one-year time span. This value is used to figure
   out the amount of money that should be earmarked to protect this asset from
   this threat.

Question 9

9. The security functionality defines the expected activities of a security
   mechanism, and assurance defines which of the following?
   A. The controls the security mechanism will enforce
   B. The data classification after the security mechanism has been implemented
   C. The confidence of the security the mechanism is providing
   D. The cost/benefit relationship

Answer 9

9. C. The functionality describes how a mechanism will work and behave. This
   may have nothing to do with the actual protection it provides. Assurance
   is the level of confidence in the protection level a mechanism will provide.
   When systems and mechanisms are evaluated, their functionality and
   assurance should be examined and tested individually.

Question 10

10. How do you calculate residual risk?
    A. Threats × risks × asset value
    B. (Threats × asset value × vulnerability) × risks
    C. SLE × frequency = ALE
    D. (Threats × vulnerability × asset value) × controls gap

Answer 10

10. D. The equation is more conceptual than practical. It is hard to assign a
    number to an individual vulnerability or threat. This equation enables you to
    look at the potential loss of a specific asset, as well as the controls gap (what
    the specific countermeasure cannot protect against). What remains is the
    residual risk, which is what is left over after a countermeasure is implemented.

Question 11

11. Why should the team that will perform and review the risk analysis
    information be made up of people in different departments?
    A. To make sure the process is fair and that no one is left out.
    B. It shouldn’t. It should be a small group brought in from outside the
    organization because otherwise the analysis is biased and unusable.
    C. Because people in different departments understand the risks of their
    department. Thus, it ensures the data going into the analysis is as close to
    reality as possible.
    D. Because the people in the different departments are the ones causing the
    risks, so they should be the ones held accountable.

Answer 11

11. C. An analysis is only as good as the data that go into it. Data pertaining to
    risks the company faces should be extracted from the people who understand
    best the business functions and environment of the company. Each department
    understands its own threats and resources, and may have possible solutions to
    specific threats that affect its part of the company.

Question 12

12. Which best describes a quantitative risk analysis?
    A. A scenario-based analysis to research different security threats
    B. A method used to apply severity levels to potential loss, probability of loss,
    and risks
    C. A method that assigns monetary values to components in the risk
    assessment
    D. A method that is based on gut feelings and opinions

Answer 12

12. C. A quantitative risk analysis assigns monetary values and percentages to
    the different components within the assessment. A qualitative analysis uses
    opinions of individuals and a rating system to gauge the severity level of
    different threats and the benefits of specific countermeasures.

Question 13

13. Why is a truly quantitative risk analysis not possible to achieve?
    A. It is possible, which is why it is used.
    B. It assigns severity levels. Thus, it is hard to translate into monetary values.
    C. It is dealing with purely quantitative elements.
    D. Quantitative measures must be applied to qualitative elements.

Answer 13

13. D. During a risk analysis, the team is trying to properly predict the future and
    all the risks that future may bring. It is somewhat of a subjective exercise and
    requires educated guessing. It is very hard to properly predict that a flood will
    take place once in ten years and cost a company up to $40,000 in damages,
    but this is what a quantitative analysis tries to accomplish.

Question 14

14. What is CobiT and where does it fit into the development of information
    security systems and security programs?
    A. Lists of standards, procedures, and policies for security program development
    B. Current version of ISO 17799
    C. A framework that was developed to deter organizational internal fraud
    D. Open standards for control objectives

Answer 14

14. D. The Control Objectives for Information and related Technology (CobiT)
    is a framework developed by the Information Systems Audit and Control
    Association (ISACA) and the IT Governance Institute (ITGI). It defines goals
    for the controls that should be used to properly manage IT and ensure IT
    maps to business needs.

Question 15

15. What are the four domains that make up CobiT?
    A. Plan and Organize, Acquire and Implement, Deliver and Support, and
    Monitor and Evaluate
    B. Plan and Organize, Maintain and Implement, Deliver and Support, and
    Monitor and Evaluate
    C. Plan and Organize, Acquire and Implement, Support and Purchase, and
    Monitor and Evaluate
    D. Acquire and Implement, Deliver and Support, and Monitor and Evaluate

Answer 15

15. A. CobiT has four domains: Plan and Organize, Acquire and Implement,
    Deliver and Support, and Monitor and Evaluate. Each category drills down
    into subcategories. For example, Acquire and Implement contains the
    following subcategories:
    • Acquire and Maintain Application Software
    • Acquire and Maintain Technology Infrastructure
    • Develop and Maintain Procedures
    • Install and Accredit Systems
    • Manage Changes

Question 16

16. What is the ISO/IEC 27799 standard?
    A. A standard on how to protect personal health information
    B. The new version of BS 17799
    C. Definitions for the new ISO 27000 series
    D. The new version of NIST 800-60

Answer 16

16. A. It is referred to as the health informatics, and its purpose is to provide
    guidance to health organizations and other holders of personal health
    information on how to protect such information via implementation
    of ISO/IEC 27002.

Question 17

17. CobiT was developed from the COSO framework. What are COSO’s main
    objectives and purpose?
    A. COSO is a risk management approach that pertains to control objectives
    and IT business processes.
    B. Prevention of a corporate environment that allows for and promotes
    financial fraud.
    C. COSO addresses corporate culture and policy development.
    D. COSO is risk management system used for the protection of federal
    systems.

Answer 17

17. B. COSO deals more at the strategic level, while CobiT focuses more at the
    operational level. CobiT is a way to meet many of the COSO objectives,
    but only from the IT perspective. COSO deals with non-IT items also, as
    in company culture, financial accounting principles, board of director
    responsibility, and internal communication structures. Its main purpose
    is to help ensure fraudulent financial reporting cannot take place in an
    organization.

Question 18

18. OCTAVE, NIST 800-30, and AS/NZS 4360 are different approaches to carrying
    out risk management within companies and organizations. What are the
    differences between these methods?
    A. NIST 800-30 and OCTAVE are corporate based, while AS/NZS is
    international.
    B. NIST 800-30 is IT based, while OCTAVE and AS/NZS 4360 are corporate
    based.
    C. AS/NZS is IT based, and OCTAVE and NIST 800-30 are assurance based.
    D. NIST 800-30 and AS/NZS are corporate based, while OCTAVE is
    international.

Answer 18

18. B. NIST 800-30 Risk Management Guide for Information Technology
    Systems is a U.S. federal standard that is focused on IT risks. OCTAVE is a
    methodology to set up a risk management program within an organizational
    structure. AS/NZS 4360 takes a much broader approach to risk management.
    This methodology can be used to understand a company’s financial, capital,
    human safety, and business decisions risks. Although it can be used to analyze
    security risks, it was not created specifically for this purpose.

Question 19

A server that houses sensitive data
has been stored in an unlocked room for the last few years at Company A. The door to
the room has a sign on the door that reads “Room 1.” This sign was placed on the door
with the hope that people would not look for important servers in this room. Realizing
this is not optimum security, the company has decided to install a reinforced lock and
server cage for the server and remove the sign. They have also hardened the server’s
configuration and employed strict operating system access controls.

19. The fact that the server has been in an unlocked room marked “Room 1” for
    the last few years means the company was practicing which of the following?
    A. Logical security
    B. Risk management
    C. Risk transference
    D. Security through obscurity

Answer 19

19. D. Security through obscurity is not implementing true security controls,
    but rather attempting to hide the fact that an asset is vulnerable in the hope
    that an attacker will not notice. Security through obscurity is an approach to
    try and fool a potential attacker, which is a poor way of practicing security.
    Vulnerabilities should be identified and fixed, not hidden.

Question 20

A server that houses sensitive data
has been stored in an unlocked room for the last few years at Company A. The door to
the room has a sign on the door that reads “Room 1.” This sign was placed on the door
with the hope that people would not look for important servers in this room. Realizing
this is not optimum security, the company has decided to install a reinforced lock and
server cage for the server and remove the sign. They have also hardened the server’s
configuration and employed strict operating system access controls.

20. The new reinforced lock and cage serve as which of the following?
A. Logical controls
B. Physical controls
C. Administrative controls
D. Compensating controls

Answer 20

20. B. Physical controls are security mechanisms in the physical world, as in locks,
    fences, doors, computer cages, etc. There are three main control types, which
    are administrative, technical, and physical.

Question 21

A server that houses sensitive data
has been stored in an unlocked room for the last few years at Company A. The door to
the room has a sign on the door that reads “Room 1.” This sign was placed on the door
with the hope that people would not look for important servers in this room. Realizing
this is not optimum security, the company has decided to install a reinforced lock and
server cage for the server and remove the sign. They have also hardened the server’s
configuration and employed strict operating system access controls.

21. The operating system access controls comprise which of the following?
A. Logical controls
B. Physical controls
C. Administrative controls
D. Compensating controls

Answer 21

21. A. Logical (or technical) controls are security mechanisms, as in firewalls,
    encryption, software permissions, and authentication devices. They are
    commonly used in tandem with physical and administrative controls to
    provide a defense-in-depth approach to security.

Question 22

A company has an e-commerce
website that carries out 60 percent of its annual revenue. Under the current circumstances,
the annualized loss expectancy for a website against the threat of attack is
$92,000. After implementing a new application-layer firewall, the new annualized loss
expectancy would be $30,000. The firewall costs $65,000 per year to implement and
maintain.

22. How much does the firewall save the company in loss expenses?
A. $62,000
B. $3,000
C. $65,000
D. $30,000

Answer 22

22. A. $62,000 is the correct answer. The firewall reduced the annualized loss
    expectancy (ALE) from $92,000 to $30,000 for a savings of $62,000. The
    formula for ALE is single loss expectancy × annualized rate of occurrence
    = ALE. Subtracting the ALE value after the firewall is implemented from the
    value before it was implemented results in the potential loss savings this type
    of control provides.

Question 23

A company has an e-commerce
website that carries out 60 percent of its annual revenue. Under the current circumstances,
the annualized loss expectancy for a website against the threat of attack is
$92,000. After implementing a new application-layer firewall, the new annualized loss
expectancy would be $30,000. The firewall costs $65,000 per year to implement and
maintain.

23. What is the value of the firewall to the company?
A. $62,000
B. $3,000
C. –$62,000
D. –$3,000

Answer 23

23. D. –$3,000 is the correct answer. The firewall saves $62,000, but costs
    $65,000 per year. 62,000 – 65,000 = –3,000. The firewall actually costs the
    company more than the original expected loss, and thus the value to the
    company is a negative number. The formula for this calculation is (ALE before
    the control is implemented) – (ALE after the control is implemented) –
    (annual cost of control) = value of control.

Question 24

A company has an e-commerce
website that carries out 60 percent of its annual revenue. Under the current circumstances,
the annualized loss expectancy for a website against the threat of attack is
$92,000. After implementing a new application-layer firewall, the new annualized loss
expectancy would be $30,000. The firewall costs $65,000 per year to implement and
maintain.

24. Which of the following describes the company’s approach to risk
management?
A. Risk transference
B. Risk avoidance
C. Risk acceptance
D. Risk mitigation

Answer 24

24. D. Risk mitigation involves employing controls in an attempt to reduce the
    either the likelihood or damage associated with an incident, or both. The four
    ways of dealing with risk are accept, avoid, transfer, and mitigate (reduce). A
    firewall is a countermeasure installed to reduce the risk of a threat.

Question 25

A small remote office for a company
is valued at $800,000. It is estimated, based on historical data, that a fire is likely to
occur once every ten years at a facility in this area. It is estimated that such a fire would
destroy 60 percent of the facility under the current circumstances and with the current
detective and preventative controls in place.

25. What is the Single Loss Expectancy (SLE) for the facility suffering from a fire?
A. $80,000
B. $480,000
C. $320,000
D. 60%

Answer 25

25. B. $480,000 is the correct answer. The formula for single loss expectancy (SLE)
    is asset value × exposure factor (EF) = SLE. In this situation the formula would
    work out as asset value ($800,000) × exposure factor (60%) = $480,000. This
    means that the company has a potential loss value of $480,000 pertaining to
    this one asset (facility) and this one threat type (fire).

Question 26

A small remote office for a company
is valued at $800,000. It is estimated, based on historical data, that a fire is likely to
occur once every ten years at a facility in this area. It is estimated that such a fire would
destroy 60 percent of the facility under the current circumstances and with the current
detective and preventative controls in place.

26. What is the Annualized Rate of Occurrence (ARO)?
A. 1
B. 10
C. .1
D. .01

Answer 26

26. C. The annualized rate occurrence (ARO) is the frequency that a threat will
    most likely occur within a 12-month period. It is a value used in the ALE
    formula, which is SLE × ARO = ALE.

Question 27

A small remote office for a company
is valued at $800,000. It is estimated, based on historical data, that a fire is likely to
occur once every ten years at a facility in this area. It is estimated that such a fire would
destroy 60 percent of the facility under the current circumstances and with the current
detective and preventative controls in place.

27. What is the Annualized Loss Expectancy (ALE)?
A. $480,000
B. $32,000
C. $48,000
D. .6

Answer 27

27. C. $48,000 is the correct answer. The annualized loss expectancy formula (SLE
    × ARO = ALE) is used to calculate the loss potential for one asset experiencing
    one threat in a 12-month period. The resulting ALE value helps to determine
    the amount that can be reasonably be spent in the protection of that asset. In
    this situation, the company should not spend over $48,000 on protecting this
    asset from the threat of fire. ALE values help organizations rank the severity
    level of the risks they face so they know which ones to deal with first and how
    much to spend on each.

Question 28

28. The international standards bodies ISO and IEC developed a series of standards
    that are used in organizations around the world to implement and maintain
    information security management systems. The standards were derived from
    the British Standard 7799, which was broken down into two main pieces.
    Organizations can use this series of standards as guidelines, but can also be
    certified against them by accredited third parties. Which of the following are
    incorrect mappings pertaining to the individual standards that make up the
    ISO/IEC 27000 series?
    i. ISO/IEC 27001 outlines ISMS implementation guidelines, and ISO/IEC
    27003 outlines the ISMS program’s requirements.
    ii. ISO/IEC 27005 outlines the audit and certification guidance, and ISO/IEC
    27002 outlines the metrics framework.
    iii. ISO/IEC 27006 outlines the program implementation guidelines, and
    ISO/IEC 27005 outlines risk management guidelines.
    iv. ISO/IEC 27001 outlines the code of practice, and ISO/IEC 27004 outlines
    the implementation framework.
    A. i, iii
    B. i, ii
    C. ii, iii, iv
    D. i, ii, iii, iv

Answer 28

28. D. Unfortunately, you will run into questions on the CISSP exam that will be
    this confusing, so you need to be ready for them. The proper mapping for the
    ISO/IEC standards are as follows:
    • ISO/IEC 27001 ISMS requirements
    • ISO/IEC 27002 Code of practice for information security management
    • ISO/IEC 27003 Guideline for ISMS implementation
    • ISO/IEC 27004 Guideline for information security management
    measurement and metrics framework
    • ISO/IEC 27005 Guideline for information security risk management
    • ISO/IEC 27006 Guidance for bodies providing audit and certification of
    information security management systems

Question 29

29. The information security industry is made up of various best practices,
    standards, models, and frameworks. Some were not developed first with security
    in mind, but can be integrated into an organizational security program to help
    in its effectiveness and efficiency. It is important to know of all of these different
    approaches so that an organization can choose the ones that best fit its business
    needs and culture. Which of the following best describes the approach(es) that
    should be put into place if an organization wants to integrate a way to improve
    its security processes over a period of time?
    i. Information Technology Infrastructure Library should be integrated
    because it allows for the mapping of IT service process management,
    business drivers, and security improvement.
    ii. Six Sigma should be integrated because it allows for the defects of security
    processes to be identified and improved upon.
    iii. Capability Maturity Model should be integrated because it provides
    distinct maturity levels.
    iv. The Open Group Architecture Framework should be integrated because it
    provides a structure for process improvement.
    A. i, iii
    B. ii, iii, iv
    C. ii, iii
    D. ii, iv

Answer 29

29. C. The best process improvement approaches provided in this list are Six
    Sigma and the Capability Maturity Model. The following outlines the
    definitions for all items in this question:
    • TOGAF Model and methodology for the development of enterprise
    architectures developed by The Open Group
    • ITIL Processes to allow for IT service management developed by the
    United Kingdom’s Office of Government Commerce
    • Six Sigma Business management strategy that can be used to carry out
    process improvement
    • Capability Maturity Model Integration (CMMI) Organizational
    development for process improvement developed by Carnegie Mellon

Question 30

Todd is a new security manager and
has the responsibility of implementing personnel security controls within the financial
institution where he works. Todd knows that many employees do not fully understand
how their actions can put the institution at risk; thus, an awareness program needs to be
developed. He has determined that the bank tellers need to get a supervisory override
when customers have checks over $3,500 that need to be cashed. He has also uncovered
that some employees have stayed in their specific positions within the company for over
three years. Todd would like to be able to investigate some of the bank’s personnel activities
to see if any fraudulent activities have taken place. Todd is already ensuring that
two people must use separate keys at the same time to open the bank vault.

30. Todd documents several fraud opportunities that the employees have at the
    financial institution so that management understands these risks and allocates
    the funds and resources for his suggested solutions. Which of the following
    best describes the control Todd should put into place to be able to carry out
    fraudulent investigation activity?
    A. Separation of duties
    B. Rotation of duties
    C. Mandatory vacations
    D. Split knowledge

Answer 30

30. C. Mandatory vacation is an administrative detective control that allows for an
    organization to investigate an employee’s daily business activities to uncover
    any potential fraud that may be taking place. The employee should be forced
    to be away from the organization for a two-week period and another person
    put into that role. The idea is that the person who was rotated into that
    position may be able to detect suspicious activities.

Question 31

Todd is a new security manager and
has the responsibility of implementing personnel security controls within the financial
institution where he works. Todd knows that many employees do not fully understand
how their actions can put the institution at risk; thus, an awareness program needs to be
developed. He has determined that the bank tellers need to get a supervisory override
when customers have checks over $3,500 that need to be cashed. He has also uncovered
that some employees have stayed in their specific positions within the company for over
three years. Todd would like to be able to investigate some of the bank’s personnel activities
to see if any fraudulent activities have taken place. Todd is already ensuring that
two people must use separate keys at the same time to open the bank vault.

31. If the financial institution wants to force collusion to take place for fraud to
    happen successfully in this situation, what should Todd put into place?
    A. Separation of duties
    B. Rotation of duties
    C. Social engineering
    D. Split knowledge

Answer 31

31. A. Separation of duties is an administrative control that is put into place to
    ensure that one person cannot carry out a critical task by himself. If a person
    were able to carry out a critical task alone, this could put the organization
    at risk. Collusion is when two or more people come together to carry out
    fraud. So if a task was split between two people, they would have to carry out
    collusion (working together) to complete that one task and carry out fraud.

Question 32

Todd is a new security manager and
has the responsibility of implementing personnel security controls within the financial
institution where he works. Todd knows that many employees do not fully understand
how their actions can put the institution at risk; thus, an awareness program needs to be
developed. He has determined that the bank tellers need to get a supervisory override
when customers have checks over $3,500 that need to be cashed. He has also uncovered
that some employees have stayed in their specific positions within the company for over
three years. Todd would like to be able to investigate some of the bank’s personnel activities
to see if any fraudulent activities have taken place. Todd is already ensuring that
two people must use separate keys at the same time to open the bank vault.

32. Todd wants to be able to prevent fraud from taking place, but he knows that
    some people may get around the types of controls he puts into place. In
    those situations he wants to be able to identify when an employee is doing
    something suspicious. Which of the following incorrectly describes what Todd
    is implementing in this scenario and what those specific controls provide?
    A. Separation of duties by ensuring that a supervisor must approve the
    cashing of a check over $3,500. This is an administrative control that
    provides preventative protection for Todd’s organization.
    B. Rotation of duties by ensuring that one employee only stays in one position
    for up to three months of a time. This is an administrative control that
    provides detective capabilities.
    C. Security awareness training, which is a preventive administrative control
    that can also emphasize enforcement.
    D. Dual control, which is an administrative detective control that can ensure
    that two employees must carry out a task simultaneously.

Answer 32

32. D. Dual control is an administrative preventative control. It ensures that
    two people must carry out a task at the same time, as in two people having
    separate keys when opening the vault. It is not a detective control. Notice
    that the question asks what Todd is not doing. Remember that on the exam
    you need to choose the best answer. In many situations you will not like
    the question or the corresponding answers on the CISSP exam, so prepare
    yourself. The questions can be tricky, which is one reason why the exam itself
    is so difficult.

Question 33

Sam has just been hired as the new
security officer for a pharmaceutical company. The company has experienced many
data breaches and has charged Sam with ensuring that the company is better protected.
The company currently has the following classifications in place: public, confidential,
and secret. There is a data classification policy that outlines the classification scheme
and the definitions for each classification, but there is no supporting documentation
that the technical staff can follow to know how to meet these goals. The company has
no data loss prevention controls in place and only conducts basic security awareness
training once a year. Talking to the business unit managers, he finds out that only half
of them even know where the company’s policies are located and none of them know
their responsibilities pertaining to classifying data.

33. Which of the following best describes what Sam should address first in this
    situation?
    A. Integrate data protection roles and responsibilities within the security
    awareness training and require everyone to attend it within the
    next 15 days.
    B. Review the current classification policies to ensure that they properly
    address the company’s risks.
    C. Meet with senior management and get permission to enforce data owner
    tasks for each business unit manager.
    D. Audit all of the current data protection controls in place to get a firm
    understanding of what vulnerabilities reside in the environment.

Answer 33

33. B. While each answer is a good thing for Sam to carry out, the first thing
    that needs to be done is to ensure that the policies properly address data
    classification and protection requirements for the company. Policies provide
    direction, and all other documents (standards, procedures, guidelines) and
    security controls are derived from the policies and support them.

Question 34

Sam has just been hired as the new
security officer for a pharmaceutical company. The company has experienced many
data breaches and has charged Sam with ensuring that the company is better protected.
The company currently has the following classifications in place: public, confidential,
and secret. There is a data classification policy that outlines the classification scheme
and the definitions for each classification, but there is no supporting documentation
that the technical staff can follow to know how to meet these goals. The company has
no data loss prevention controls in place and only conducts basic security awareness
training once a year. Talking to the business unit managers, he finds out that only half
of them even know where the company’s policies are located and none of them know
their responsibilities pertaining to classifying data.

34. Sam needs to get senior management to assign the responsibility of protecting
    specific data sets to the individual business unit managers, thus making them
    data owners. Which of the following would be the most important in the
    criteria the managers would follow in the process of actually classifying data
    once this responsibility has been assigned to them?
    A. Usefulness of the data
    B. Age of the data
    C. Value of the data
    D. Compliance requirements of the data

Answer 34

34. C. Data is one of the most critical assets to any organization. The value of the
    asset must be understood so that the organization knows which assets require
    the most protection. There are many components that go into calculating the
    value of an asset: cost of replacement, revenue generated from asset, amount
    adversaries would pay for the asset, cost that went into the development of
    the asset, productivity costs if asset was absent or destroyed, and liability costs
    of not properly protecting the asset. So the data owners need to be able to
    determine the value of the data to the organization for proper classification
    purposes.

Question 35

Sam has just been hired as the new
security officer for a pharmaceutical company. The company has experienced many
data breaches and has charged Sam with ensuring that the company is better protected.
The company currently has the following classifications in place: public, confidential,
and secret. There is a data classification policy that outlines the classification scheme
and the definitions for each classification, but there is no supporting documentation
that the technical staff can follow to know how to meet these goals. The company has
no data loss prevention controls in place and only conducts basic security awareness
training once a year. Talking to the business unit managers, he finds out that only half
of them even know where the company’s policies are located and none of them know
their responsibilities pertaining to classifying data.

35. From this scenario, what has the company accomplished so far?
    A. Implementation of administrative controls
    B. Implementation of operational controls
    C. Implementation of physical controls
    D. Implementation of logical controls

Answer 35

35. A. The company has developed a data classification policy, which is an
    administrative control.

Question 36

Susan has been told by her boss that
she will be replacing the current security manager within her company. Her boss explained
to her that operational security measures have not been carried out in a standard
fashion, so some systems have proper security configurations and some do not.
Her boss needs to understand how dangerous it is to have some of the systems misconfigured
along with what to do in this situation.

36. Which of the following best describes what Susan needs to ensure the
    operations staff creates for proper configuration standardization?
    A. Dual control
    B. Redundancy
    C. Training
    D. Baselines

Answer 36

36. D. The operations staff needs to know what minimum level of security is
    required per system within the network. This minimum level of security is
    referred to as a baseline. Once a baseline is set per system, then the staff has
    something to compare the system against to know if changes have not taken
    place properly, which could make the system vulnerable.

Question 37

Susan has been told by her boss that
she will be replacing the current security manager within her company. Her boss explained
to her that operational security measures have not been carried out in a standard
fashion, so some systems have proper security configurations and some do not.
Her boss needs to understand how dangerous it is to have some of the systems misconfigured
along with what to do in this situation.

37. Which of the following is the best way to illustrate to her boss the dangers of
    the current configuration issues?
    A. Map the configurations to the compliancy requirements.
    B. Compromise a system to illustrate its vulnerability.
    C. Audit the systems.
    D. Carry out a risk assessment.

Answer 37

37. D. Susan needs to illustrate these vulnerabilities (misconfigured systems) in
    the context of risk to her boss. This means she needs to identify the specific
    vulnerabilities, associate threats to those vulnerabilities, and calculate their
    risks. This will allow her boss to understand how critical these issues are and
    what type of action needs to take place.

Question 38

Susan has been told by her boss that
she will be replacing the current security manager within her company. Her boss explained
to her that operational security measures have not been carried out in a standard
fashion, so some systems have proper security configurations and some do not.
Her boss needs to understand how dangerous it is to have some of the systems misconfigured
along with what to do in this situation.

38. Which of the following is one of the most likely solutions that Susan will
come up with and present to her boss?
A. Development of standards
B. Development of training
C. Development of monitoring
D. Development of testing

Answer 38

38. A. Standards need to be developed that outline proper configuration
    management processes and approved baseline configuration settings. Once
    these standards are developed and put into place, then employees can be
    trained on these issues and how to implement and maintain what is outlined
    in the standards. Systems can be tested against what is laid out in the standards,
    and systems can be monitored to detect if there are configurations that do not
    meet the requirements outlined in the standards. You will find that some CISSP
    questions seem subjective and their answers hard to pin down. Questions that
    ask what is “best” or “more likely” are common.