Chapter 5: Prevention and Risk Management

Question 1

Information Security Management System (ISIM)

Answer 1

Organizational internal control process that ensures the following 3 objectives in relation to data and information within the organization: integrity, confidentiality, and availability.

Question 2

ISIM Security Objectives

Answer 2

Confidentiality
Integrity
Availibility

Question 3

Confidentiality

Answer 3

This concept involves ensuring that data and information are made available only to authorized persons.

Question 4

Integrity

Answer 4

1. Accuracy means inputting the correct data into the system and then processing it as intended, without errors.
2. Completeness ensures that no unauthorized additions, removals, or modifications are made to data that has been inputted into the system

Question 5

Availability

Answer 5

This concept involves ensuring that data and information are available when and where they are needed.

Question 6

Implementing ISMSsPlan Phase

Answer 6

• Initiating the project
• Defining the scope of the ISMS
• Establishing an ISMS policy,
• Performing a risk assessment,
• Selecting risk treatments,
• Selecting control objectives, and
• Producing a statement of applicability

Question 7

Implementing ISMSsPlan Phase

Answer 7

• Initiating the project
• Defining the scope of the ISMS
• Establishing an ISMS policy,
• Performing a risk assessment,
• Selecting risk treatments,
• Selecting control objectives, and
• Producing a statement of applicability

Question 8

General categories of assets at risk:

Answer 8

• Human resources
• Information
• Documents
• Software
• Physical equipment
• Services
• Company image and reputation

Question 9

What are the four security classifications?

Answer 9

Unclassified, Shared, Company only, Confidential

Question 10

Unclassified

Answer 10

Unrestricted assets; the asset is available to the public.

Question 11

Shared

Answer 11

Restricted access to specific groups of individuals including organizational insiders and outsiders.

Question 12

Company only

Answer 12

Restricted access to organizational insiders.

Question 13

Confidential

Answer 13

Restricted access to a specific list of individuals.

Question 14

Active Threat

Answer 14

Potential intentional attack on the information system.

Question 15

Active Threat Examples

Answer 15

• Input manipulation (most common source of fraud)
• Direct file alteration (bypass normal software)
• Program alteration (requires sophistication)
• Data theft (hard to detect and prove)
• Sabotage (disgruntled employees)
• Misappropriation of information system resources

Question 16

Information security assurance (ISA)

Answer 16

Refers to some type of evidence-based assertion that increases the certainty that a security-related deliverable can withstand specified security threats.

Question 17

target of evaluation (TOE)

Answer 17

performing assurance activities that satisfy a predefined security target or security protection profile.

Question 18

target of evaluation (TOE)

Answer 18

This is the information security deliverable, the object for which assurances are made.

Question 19

Assurance activities

Answer 19

These activities depend on the method of assessment. Various methods of assessment are discussed later.

Question 20

Security target (ST)

Answer 20

This is the set of security specifications and requirements used to evaluate the target of evaluation.

Question 21

Security protection profile (SPP)

Answer 21

Similar to a security target, this profile is much broader in scope. Unlike an ST, a SPP does not apply to any one particular deliverable but represents the security needs of a given individual or group of individuals.