CISSP Sybex Official Study Guide Chapter 2 Review Questions Flashcards
Which of the following is the weakest element in any security solution?
A. Software products
B. Internet connections
C. Security policies
D. Humans
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 93). Wiley. Kindle Edition.
D. Humans
Explanation:
Regardless of the specifics of a security solution, humans are the weakest element.
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 951). Wiley. Kindle Edition.
When seeking to hire new employees, what is the first step?
A. Create a job description.
B. Set position classification.
C. Screen candidates.
D. Request résumés.
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 93). Wiley. Kindle Edition.
A. Create a job description.
Explanation:
The first step in hiring new employees is to create a job description. Without a job description, there is no consensus on what type of individual needs to be found and hired.
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 951). Wiley. Kindle Edition.
Which of the following is a primary purpose of an exit interview?
A. To return the exiting employee’s personal belongings
B. To review the nondisclosure agreement
C. To evaluate the exiting employee’s performance
D. To cancel the exiting employee’s network access accounts
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 93). Wiley. Kindle Edition.
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 93). Wiley. Kindle Edition.
B. To review the nondisclosure agreement
Explanation:
The primary purpose of an exit interview is to review the nondisclosure agreement (NDA) and other liabilities and restrictions placed on the former employee based on the employment agreement and any other security-related documentation.
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 951). Wiley. Kindle Edition.
When an employee is to be terminated, which of the following should be done?
A. Inform the employee a few hours before they are officially terminated.
B. Disable the employee’s network access just as they are informed of the termination.
C. Send out a broadcast email informing everyone that a specific employee is to be terminated.
D. Wait until you and the employee are the only people remaining in the building before announcing the termination.
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 93). Wiley. Kindle Edition.
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 93). Wiley. Kindle Edition.
B. Disable the employee’s network access just as they are informed of the termination.
Explanation:
You should remove or disable the employee’s network user account immediately before or at the same time they are informed of their termination.
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 951). Wiley. Kindle Edition.
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 951). Wiley. Kindle Edition.
If an organization contracts with outside entities to provide key business functions or services, such as account or technical support, what is the process called that is used to ensure that these entities support sufficient security?
A. Asset identification
B. Third-party governance
C. Exit interview
D. Qualitative analysis
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 93). Wiley. Kindle Edition.
B. Third-party governance
Explanation:
Third-party governance is the application of security oversight on third parties that your organization relies on.
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 951). Wiley. Kindle Edition.
A portion of the __________________ is the logical and practical investigation of business processes and organizational policies. This process/policy review ensures that the stated and implemented business tasks, systems, and methodologies are practical, efficient, and cost-effective, but most of all (at least in relation to security governance) that they support security through the reduction of vulnerabilities and the avoidance, reduction, or mitigation of risk.
A. Hybrid assessment
B. Risk aversion process
C. Countermeasure selection
D. Documentation review
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 94). Wiley. Kindle Edition.
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 94). Wiley. Kindle Edition.
D. Documentation review
Explanation:
D. A portion of the documentation review is the logical and practical investigation of business processes and organizational policies.
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 951). Wiley. Kindle Edition.
Which of the following statements is not true?
A. IT security can provide protection only against logical or technical attacks.
B. The process by which the goals of risk management are achieved is known as risk analysis.
C. Risks to an IT infrastructure are all computer based.
D. An asset is anything used in a business process or task.
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 94). Wiley. Kindle Edition.
C. Risks to an IT infrastructure are all computer based.
Explanation:
Risks to an IT infrastructure are not all computer based. In fact, many risks come from noncomputer sources. It is important to consider all possible risks when performing risk evaluation for an organization. Failing to properly evaluate and respond to all forms of risk, a company remains vulnerable.
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 951). Wiley. Kindle Edition.
Which of the following is not an element of the risk analysis process?
A. Analyzing an environment for risks
B. Creating a cost/benefit report for safeguards to present to upper management
C. Selecting appropriate safeguards and implementing them
D. Evaluating each threat event as to its likelihood of occurring and cost of the resulting damage
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 95). Wiley. Kindle Edition.
C. Selecting appropriate safeguards and implementing them
Explanation:
Risk analysis includes analyzing an environment for risks, evaluating each threat event as to its likelihood of occurring and the cost of the damage it would cause, assessing the cost of various countermeasures for each risk, and creating a cost/benefit report for safeguards to present to upper management. Selecting safeguards is a task of upper management based on the results of risk analysis. It is a task that falls under risk management, but it is not part of the risk analysis process.
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 952). Wiley. Kindle Edition.
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 952). Wiley. Kindle Edition.
Which of the following would generally not be considered an asset in a risk analysis?
A. A development process
B. An IT infrastructure
C. A proprietary system resource
D. Users’ personal files
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 95). Wiley. Kindle Edition.
D. Users’ personal files
Explanation:
The personal files of users are not usually considered assets of the organization and thus are not considered in a risk analysis.
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 952). Wiley. Kindle Edition.
Which of the following represents accidental or intentional exploitations of vulnerabilities?
A. Threat events
B. Risks
C. Threat agents
D. Vulnerabilities
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 95). Wiley. Kindle Edition.
A. Threat events
Explanation:
A. Threat events are accidental or intentional exploitations of vulnerabilities.
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 952). Wiley. Kindle Edition.
When a safeguard or a countermeasure is not present or is not sufficient, what remains?
A. Vulnerability
B. Exposure
C. Risk
D. Penetration
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 95). Wiley. Kindle Edition.
A. Vulnerability
Explanation:
A vulnerability is the absence or weakness of a safeguard or countermeasure.
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 952). Wiley. Kindle Edition.
Which of the following is not a valid definition for risk?
A. An assessment of probability, possibility, or chance
B. Anything that removes a vulnerability or protects against one or more specific threats
C. Risk = threat * vulnerability
D. Every instance of exposure
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 95). Wiley. Kindle Edition.
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 95). Wiley. Kindle Edition.
B. Anything that removes a vulnerability or protects against one or more specific threats
Explanation:
Anything that removes a vulnerability or protects against one or more specific threats is considered a safeguard or a countermeasure, not a risk.
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 952). Wiley. Kindle Edition.
When evaluating safeguards, what is the rule that should be followed in most cases?
A. The expected annual cost of asset loss should not exceed the annual costs of safeguards.
B. The annual costs of safeguards should equal the value of the asset.
C. The annual costs of safeguards should not exceed the expected annual cost of asset loss.
D. The annual costs of safeguards should not exceed 10 percent of the security budget.
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 95). Wiley. Kindle Edition.
C. The annual costs of safeguards should not exceed the expected annual cost of asset loss.
Explanation:
The annual costs of safeguards should not exceed the expected annual cost of asset loss.
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 952). Wiley. Kindle Edition.
How is single loss expectancy (SLE) calculated?
A. Threat + vulnerability
B. Asset value ($) * exposure factor
C. Annualized rate of occurrence * vulnerability
D. Annualized rate of occurrence * asset value * exposure factor
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 95). Wiley. Kindle Edition.
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 95). Wiley. Kindle Edition.
B. Asset value ($) * exposure factor
Explanation:
SLE is calculated using the formula SLE = asset value ($) * exposure factor (SLE = AV * EF).
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 952). Wiley. Kindle Edition.
How is the value of a safeguard to a company calculated?
A. ALE before safeguard – ALE after implementing the safeguard – annual cost of safeguard
B. ALE before safeguard * ARO of safeguard
C. ALE after implementing safeguard + annual cost of safeguard – controls gap
D. Total risk – controls gap
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 95). Wiley. Kindle Edition.
A. ALE before safeguard – ALE after implementing the safeguard – annual cost of safeguard
Explanation:
The value of a safeguard to an organization is calculated by ALE before safeguard – ALE after implementing the safeguard – annual cost of safeguard [(ALE1 – ALE2) – ACS].
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 952). Wiley. Kindle Edition.
