CISSP: Information Security Governance and Risk Management Flashcards
- The three elements of the C-I-A triad include
A. Confidentiality, integrity, authentication
B. Confidentiality, integrity, availability
C. Confidentiality, integrity, authorization
D. Confidentiality, integrity, accountability
B. Confidentiality, integrity, availability
Confidentiality, integrity, and availability are the three elements of the C-I-A triad. Authentication, authorization, and accountability are access control concepts. Review “Information Security Governance Concepts and Principles.”
- Which of the following government data classification levels describes information that, if compromised, could cause serious damage to national security?
A. Top Secret
B. Secret
C. Confidential
D. Sensitive but Unclassified
B. Secret
Top Secret information leaks could cause grave damage. Confidential information breaches could cause damage. Sensitive but Unclassified information doesn’t have a direct impact on national security. Review “Government data classification.”
- The practice of regularly transferring personnel into different positions or departments within an organization is known as
A. Separation of duties
B. Reassignment
C. Lateral transfers
D. Job rotations
D. Job rotations. Separation of duties is related to job rotations, but is distinctly different. Reassignment and lateral transfers are functionally equivalent to job rotations but aren’t necessarily done for the same reasons and aren’t considered security employment practices. Review “Job rotations.”
- The individual responsible for assigning information classification levels for assigned information assets is
A. Management
B. Owner
C. Custodian
D. User
B. Owner
Although an information owner may be in a management position and also considered a user, the information owner role has the responsibility for assigning information classification levels. An information custodian is responsible for day-to-day security tasks. Review “Security roles and responsibilities.”
- Most security policies are categorized as
A. Informative
B. Regulatory
C. Mandatory
D. Advisory
D. Advisory
Although not mandatory, advisory policies are highly recommended and may provide penalties for failure to comply. Review “Policies.”
- A baseline is a type of
A. Policy
B. Guideline
C. Procedure
D. Standard
D. Standard
A baseline takes into account system-specific parameters to help an organization identify appropriate standards. Review “Standards (and baselines).”
- Which of the following is not considered a general remedy for risk management?
A. Risk reduction
B. Risk acceptance
C. Risk assignment
D. Risk avoidance
D. Risk avoidance
Although risk avoidance is a valid concept, it’s impossible to achieve and therefore not considered a general remedy for risk management. Review “Risk control.”
- Failure to implement a safeguard may result in legal liability if
A. The cost to implement the safeguard is less than the cost of the associated loss.
B. The cost to implement the safeguard is more than the cost of the associated loss.
C. An alternate but equally effective and less expensive safeguard is implemented.
D. An alternate but equally effective and more expensive safeguard is implemented.
A. The cost to implement the safeguard is less than the cost of the associated loss.
This basic legal liability test determines whether the cost of the safeguard is less than the cost of the associated loss if a threat event occurs. Review “Legal liability.”
- A cost-benefit analysis is useful in safeguard selection for determining
A. Safeguard effectiveness
B. Technical feasibility
C. Cost-effectiveness
D. Operational impact
C. Cost-effectiveness
A cost-benefit analysis can’t help an organization determine the effectiveness of a safeguard, its technical feasibility, or its operational impact. Review “Cost-effectiveness.”
- ALE is calculated by using the following formula:
A. SLE × ARO × EF = ALE
B. SLE × ARO = ALE
C. SLE + ARO = ALE
D. SLE – ARO = ALE
B. SLE × ARO = ALE
SLE × ARO = ALE is the correct formula for calculating ALE, where SLE is the Single Loss Expectancy, ARO is the Annualized Rate of Occurrence, and ALE is the Annualized Loss Expectancy (expressed in dollars). Review “Risk analysis.”
Which of the following accurately describes the risk management techniques?
a. Risk acceptance, risk transference, risk avoidance, risk mitigation
b. Risk acceptance, risk containment, risk avoidance, risk mitigation
c. Risk acceptance, risk mitigation, risk containment, risk qualification
d. Risk avoidance, risk migration, risk containment, risk qualification
A. The four risk management techniques are risk mitigation, risk transference, risk avoidance, and risk acceptance.
Which of the following identifies a model that specifically targets security and not governance of an entire enterprise? (Choose all that apply.)
a. The Zachmann framework
b. COBIT
c. COSO
d. SABSA
B & D. COBIT - Control Objectives for Information-related Technologies - and SABSA - the Sherwood Applied Business Security Architecture - are security models.
The Zachman framework and COSO - the Committee of Sponsoring Organizations of the Treadway Commission - are enterprise frameworks.
Which of the following terms enables management to be less than perfect and still avoid being negligent in lawsuits?
a. Due care
b. Prudency
c. Due diligence
d. Threat agent
B. Management must implement controls prudently to avoid being negligent. The controls do not need to be perfect but implemented as others (or a prudent person) would under those same circumstances.
Which of the following describes interviewing people anonymously?
a. ISO/IEC 27001
b. Qualitative valuation
c. The Delphi method
d. Quantitative valuation
C. The Delphi method describes interviewing people anonymously.
Which of the following describes the appropriate standard for governance of third-party providers?
a. A nondisclosure agreement (NDA)
b. An acceptable use policy
c. The same level as employees
d. The same level as defined by the ISC2 Code of Ethics
C. The appropriate standard for the governance of third-party providers is the same level as for employees, which includes all the policies, training, monitoring, and so on as would be performed internally.