Chapter 6 Review

Question 1

Chatper 6 Review

These things are the procedures, mechanisms, systems, and other measures designed to reduce risk through compliance to policies

Answer 1

CONTROLS

Question 2

Chatper 6 Review

To ensure that its business objectives will be met, risks are reduced, and errors will be prevented or corrected, an organisation will develope what.

Answer 2

CONTROLS

Question 3

Chatper 6 Review

To achieve desired outcomes, an organisation may adopt one or more of these to identify and implement controls

Answer 3

CONTROL FRAMEWORKS

Question 4

Chatper 6 Review

Each control consumes this and should therefore be carefully considered

Answer 4

RESOURCES

Question 5

Chapter 6 Review

This person need to understand the various types of controls (such as preventive, detective, deterrent, manual, automatic, and so on) so that the correct types of controls can be implemented.

Answer 5

SECURITY MANAGER

Question 6

Chatper 6 Review

This is done to Controls so that security professionals can better understand and work with them.

Answer 6

CLASSIFIED

Question 7

Chatper 6 Review

Control type descriptors include;

1. P____ ; Tangiable such as fench
2. T____ ; Uses software configuration
3. A____ ; Managing a system effectively
4. P____ ; To stop something happening
5. D____ ; To identify something happening
6. M____ ; To do something by hand
7. A____ ; To allow a system to respond
8. C____ ; To reduce or counteract something
9. R____ ; To restore

Answer 7

1. PHYSICAL
2. TECHNICAL
3. ADMINISTRATIVE
4. PREVENTIVE
5. DETECTIVE
6. MANUAL
7. AUTOMATIC
8. COMPENSATING
9. RECOVERY

Question 8

Chatper 6 Review

These things are general in nature and implemented in different ways on different information systems based on their individual capabilities, limitations, and applicaibility

Answer 8

GENERAL COMPUTING CONTROLS
(GCCs)

Question 9

Chatper 6 Review

A control framework is a collection of controls organized into these things

Answer 9

LOGICAL CATEGORIES

Question 10

Chatper 6 Review

Well-known control frameworks are intended to address a broad set of information risks common to most organizations. Examples include;

1. ISO/IEC ____
2. NIST SP 800-____
3. C____ C ____

Answer 10

1. ISO/IEC 27002
2. NIST SP 800-53
3. CIS CSC

Question 11

Chatper 6 Review

This is a term/method which maps two or more control frameworks together.

Answer 11

CROSSWALK

Question 12

Chatper 6 Review

Before a control can be designed, the security manager needs to have some idea of this otherwise they will bit have a clear objective.

Answer 12

THE NATURE OF THE RISKS THE CONTROL IS INTENDED TO ADDRESS

Question 13

Chatper 6 Review

In this program, new risks may be identified during a risk assessment that led to the creation of additional controls.

Answer 13

RISK MANAGEMENT PROGRAM

Question 14

Chatper 6 Review

After a control has been designed, it should be put into service and then it should have this done to it.

Answer 14

MANAGED THROUGHOUT ITS LIFE

Question 15

Chatper 6 Review

Management of a control throughout its life could involve this happening in the form of changes to business processes and information systems.

Answer 15

OPERATIONAL IMPACT

Question 16

Chatper 6 Review

Management of a control throughout its life could involve operational impact through changes to business process or information systems. Changes with this will require greater care so that business processes are not adversely affected.

Answer 16

GREATER IMPACT

Question 17

Chatper 6 Review

Controls should include this information which describes the purpose, applicability, scope, classification, measurements, testing procedures, cross references, and more.

Answer 17

METADATA

Question 18

Chapter 6 Review

Controls should include Metdata that describes the;

1. P____ ; A reasons for existing
2. A____ ; What the control services
3. S____ ; The extent of coverage
4. C____ ; A category something is put into
5. M____ ; Ability to take metrics
6. T____ P ____ ; A number of criteria to determine effectiveness
7. C____ R ____ ; Refer to other systems and relationships

Answer 18

1. PURPOSE
2. APPLICABILITY
3. SCOPE
4. CLASSIFICATION
5. MEASUREMENTS
6. TESTING PROCEDURES
7. CROSS REFERENCES

Question 19

Chatper 6 Review

The implementation of a new control should be guided by formal processes. A new control should have a the following things met;

1. This is the purpose of its existence
2. This will be done to validate the control is effective
3. This endorsement is needed to implement the control
4. This processes should be followed to identify potential risk through implementation and ensure a valid plan

Answer 19

1. CONTROL OBJECTIVE
2. TEST PLAN
3. AUTHORIZATION
4. CHANGE MANAGEMENT

Question 20

Chatper 6 Review

Controls that have been placed into service will transition into this

Answer 20

ROUTINE OPERATIONS

Question 21

Chatper 6 Review

These inidividuals will operate their controls and try to be aware of any problems, especially early on.

Answer 21

CONTROL OWNERS

Question 22

Chatper 6 Review

Whether controls are automatic or manual, preventive or corrective, these individuals are responsible for ensuring that their controls operate correctly in every respect.

Answer 22

CONTROL OWNERS

Question 23

Chatper 6 Review

It is essential for security managers to understand the technology underpinning controls to ensure that these 2 things are effectively met

Answer 23

DESIGN and OPERATION

Question 24

Chatper 6 Review

Any organization that implements controls to address risks should periodically examine those controls to determine that this is being achieved.

Answer 24

WORKING AS INTENDED and DESIGNED

Question 25

Chatper 6 Review

SOC 1 and SOC 2 audits provide assurances of effective control design (Type I and Type II) and implementation (Type II only) in who

Answer 25

THIRD-PARTY SERVICE PROVIDERS

Question 26

Chpater 6 Review

These 2 audits provide assurances of effective control design (Type I and Type II) and implementation (Type II only) in third-parties

Answer 26

SOC 1 and SOC 2

Question 27

Chatper 6 Review

An essential function in information security management is to set activities that determine that these 2 things in regards to security safeguarding are happening

Answer 27

IN PLACE and WORKING PROPERLY

These activities range from informal security reviews to formal and highly structured security audits.

Question 28

Chatper 6 Review

This is a systematic and repeatable process whereby a competent and independent professional evaluates one or more controls, interviews personnel, obtains and analyzes evidence, and develops a written opinion on the effectiveness of a control.

Answer 28

AUDIT

Question 29

Chapter 6 Review

An audit is a systematic and repeatable process whereby a competent and independent professional;

1. ____ ; Evaluates one or more of these safeguards
2. ____ ; Interviews these people
3. ____ ; Obtains and analyses this which is proof of results
4. ____ ; Develops a written opinion on this in regards to control(s)

Answer 29

1. CONTROLS
2. PERSONNEL
3. EVIDENCE
4. EFFECTIVENESS OF A CONTROL

Question 30

Chatper 6 Review

This is a methodology used by an organization to internally review these 3 components;

1. Key business objectives
2. Risks related to achieving objectives
3. Key controls designed to manage risks.

Answer 30

CONTROL SELF-ASSESSMENT
(CSA)

Question 31

Chatper 6 Review

This organisation asset is generally considered the largest and most vulnerable portion of an organization’s attack surface.

Answer 31

PERSONNEL

Question 32

Chapter 6 Review

Personnel are the primary weak point in information security, mainly because of;

1. ____ ; a decision that can often cause a mistake
2. ____ ; Someone not paying complete attention
3. ____ ; A person feeling run down or tired
4. ____ ; a feeling when you recognise the importance or deadlines of duties
5. ____ ; Lack of training

Answer 32

1. LAPSE IN JUDGEMENT
2. INATTENTIVENESS
3. FATIGUE
4. WORK PRESSURE
5. SHORTAGE OF SKILLS

Question 33

Chatper 6 Review

This critical activity attempts to identify risks in third-party organizations that have access to critical or sensitive data or that perform critical operational functions.

Answer 33

THIRD-PARTY RISK MANAGEMENT

Question 34

Chatper 6 Review

Various techniques are needed to identify and manage risks with third-parties because with their internal operations and risks, they are not seen to be very what.

Answer 34

TRANSPARENT

Question 35

Chatper 6 Review

Third parties are assessed mainly through the use of these 2 methods

Answer 35

1. QUESTIONNAIRES
2. REQUESTS FOR EVIDENCE

Question 36

Chatper 6 Review

Most organizations depend on large numbers of third-party services, so they employ a this matrix to identify the third parties that are the most critical to the organization.

Answer 36

RISK TIER SCHEME

Third Parties at a higher level of risk undergo more frequent and rigorous risk assessments, while those at lower levels undergo less frequent and less rigorous risk assessments.

Question 37

Chatper 6 Review

The management of business relationships with third parties is a what sort of process.

Answer 37

LIFE-CYCLE

The life cycle begins when an organization contemplates the use of a third party to augment or support the organization’s operations in some way.

Question 38

Chatper 6 Review

The life cycle management process with third-parties continues during the ongoing relationship with the third party and concludes when the organization has no what

Answer 38

REQUIREMENT OF THE SERVICE

Question 39

Chatper 6 Review

This is the lifeblood of an effective information security program.

Answer 39

COMMUNICATIONS

Question 40

Chatper 6 Review

Lacking effective communication, the security manager will have difficulty interacting with these people for the exchange of objectives, risk information and metrics.

Answer 40

EXECUTIVE MANAGEMENT

Question 41

Chatper 6 Review

If communication is Ineffective it will hamper these 2 security-related things throughout the business

Answer 41

ACTIVITIES and PROCESSES

Question 42

Chatper 6 Review

Security programs include a variety of these activities that are vital to its success.

Answer 42

ADMINISTRATIVE

Question 43

Chatper 6 Review

One important success factor of a security program is the development of these with internal departments external organisations.

Answer 43

STRATEGIC PARTNERSHIPS / RELATIONSHIPS

Question 44

Chatper 6 Review

Strategic partnerships with internal departments and external organisations enable the security manager to do this in terms of events.

Answer 44

BETTER INFLUENCE

It also allows them to learn more about external events, and obtain assistance from outside entities as needed

Question 45

Chatper 6 Review

This represents a collection of operational activities designed to ensure the quality of IT services and includes several business processes such as;

1. service desk
2. incident management
3. problem management
4. change management
5. configuration management
6. release management
7. service-level management
8. financial management
9. capacity management
10. service continuity management
11. availability management

Answer 45

IT SERVICE MANAGEMENT

Question 46

Chatper 6 Review

When senior management express concerns for the effectiveness of the information security program, the security manager should carry out this activity with senior managers to address their concerns

Answer 46

INTERVIEW SENIOR MANAGEMENT

Question 47

Chatper 6 Review

Achieving this in regards to resources is the best indication a security manager is achieving value delivery

Answer 47

HIGH RESOURCE UTILIZATION

Question 48

Chatper 6 Review

This is the best metric a security manager can use to evaluate the result of a security program

Answer 48

PERCENTAGE OF CONTROL OBJECTIVES ACHIEVED

Question 49

Chatper 6 Review

Control objectives are directly related to these objectives

Answer 49

BUSINESS OBJECTIVES

Question 50

Chatper 6 Review

Obtaining another party’s public key is required to initiate this activity

Answer 50

AUTHENTICATION

Question 51

Chatper 6 Review

This type of secret key encryption is computationally more intensive

Answer 51

PUBLIC KEY

• Public key encryption is computationally intensive due to the long key lengths required
• Secret key encryption requires much shorter key lengths to achieve equivalent strength

Question 52

Chatper 6 Review

This type of key is more problematic for scaling as it requires a key for each pair of individuals

Answer 52

SYMMETRICAL KEY
(secret key encryption)

Symmetrical or secret key encryption requires a key for each pair of individuals who wish to have confidential communications resulting in an exponential increase in the number of keys resulting in intractable distribution and storage problems

Question 53

Chatper 6 Review

Wi-Fi Protected Access 2 (WPA2) and this type of authentication is the strongest form of wireless authentication currently available

Answer 53

802.1x

WPA2 and 802.1x authentication is the strongest form of wireless authentication currently available. WPA2 combined with 802.1x forces the user to authenticate using strong Advanced Encryption Standard encryption

Question 54

Chatper 6 Review

This service is an authrotiy within an organisation network that verifies (authenticates) user requests for a digital certificate which tells the Certificate Authority (CA) to issue it

Answer 54

REGISTRATION AUTHORITY
(RA)

The registration authority’s (RA’s) private key is in the possession of the RA, often stored on a smart card or laptop, and is typically protected by a password and, therefore, is potentially accessible. If the RA’s private key is compromised, it can be used to register anyone for a certificate using any identity, compromising the entire public key infrastructure for that CA

Question 55

Chatper 6 Review

This service is either internal or public and is responsible for the issuing and revoking of certificates

Answer 55

CERTIFICATE AUTHORITY
(CA)