Domain 1: Information Security Governance and Risk Management

Question 1

What does the acronym ALE stand for ?

Answer 1

Annual Loss Expectancy

Question 2

What does Annual Loss Expectancy (ALE) mean?

Answer 2

Allows security practitioners to determine the annual cost of a loss due to risk.

Question 3

What is the Annual Loss Expectancy (ALE) Formula?

Answer 3

Single Loss Expectancy (SLE) X Annual Rate of Occurrence (ARO)

Question 4

What does the Annual Rate of Occurrence (ARO) mean?

Answer 4

The number of losses you suffer per year

Question 5

What does the acronym ARO stand for?

Answer 5

Annual Rate of Occurrence

Question 6

What does the phrase

Exposure Factor (EF)

mean in the Annual Loss Expectancy section?

Answer 6

The Percentage of value an Asset lost due to an incident.

Question 7

What does Asset Value (AV) mean?

Answer 7

The value of an asset you are trying to protect.

Question 8

What does ROI stand for?

Answer 8

Return on Investment

Question 9

What does the acronym EF stand for in the Annual Loss Expectancy section?

Answer 9

Exposure Factor

Question 10

What does the phrase

Single Loss Expectancy (SLE)

mean in the Annual Loss Expectancy (ALE) section?

Answer 10

The cost of a single Loss.

Question 11

What does the acronym

SLE

stand for?

Answer 11

Single Loss Expectancy

Question 12

What is the

Single LossExpectancy (SLE)

Formula?

Answer 12

SLE = AV * EF

Question 13

What does the phrase

Return on Investment (ROI)

mean?

Answer 13

The amount of money saved by implementing a safguard

Question 14

What component can you add to the a

Risk Calculation

to give it more meaning?

Answer 14

Add Impact to the equation: Risk = Threat * Vulnerability * Impact

Question 15

What does AV stand for in the Annual Loss Expectancy framework?

Answer 15

Asset Value

Question 16

What does

Total Cost of Ownership (TCO)

mean?

Answer 16

The total cost of a mitigated safeguard

Question 17

What does the acronym

TCO

stand for?

Answer 17

Total Cost of Ownership

Question 18

What is the

Single Loss Expectancy (SLE)

Formula?

Answer 18

Single Loss Expectancy (SLE) = Asset Value (AV) * Exposure Factor (EF)

Question 19

Can a certification be performed by a trusted third party?

Answer 19

Yes

Question 20

Who accepts the risk in an Accreditation?

Answer 20

The Data Owner

Question 21

What is a certification?

Answer 21

A detailed inspection that verifies whether a system meets the documented security requirements.

Question 22

When a certification is performed by a trusted third party, are the issues identified recommendations

or

mandatory

actions?

Answer 22

Recommendations

Question 23

What is an Accreditation?

Answer 23

The Data Owner’s acceptance of the risk represented by the system.

Question 24

What are NIST’s four steps to accreditation?

Answer 24

1: Initiation Phase (Research)
2: Security Certification Phase (Assessment)
3: Security Accreditation Phase (Decision to Accept Risk)
4: Continuous Monitoring Phase (Monitor)

Question 25

What is an example of System Alteration in the CIA model?

Answer 25

Malcode Install

Question 26

What is an example of Destruction in the CIA model?

Answer 26

DDOS

Question 27

What is an example of an Availability Failure in the CIA model?

Answer 27

DDOS Attack

Question 28

What does Integrity mean in he CIA model?

Answer 28

Protections against unauthorized and undetected alteration of information

Question 29

What is an example of Disclosure in the CIA model?

Answer 29

Wikileaks

Question 30

What is an example of a Confidentiality Failure in the CIA model?

Answer 30

Wikileaks

Question 31

What does Confidentiality mean in the CIA model?

Answer 31

Protections against unauthorized disclosure of information

Question 32

What does CIA stand for?

Answer 32

Confidentiality

Integrity

Availability

Question 33

What is the Opposite of Integrity in the CIA model?

Answer 33

Alteration

Question 34

What is an example of Data Alteration in the CIA model?

Answer 34

Web Page Defacement

Question 35

What is the Opposite of Confidentiality in the CIA model?

Answer 35

Disclosure

Question 36

What is an example of a System Integrity Failure in the CIA model?

Answer 36

Malcode Infection

Question 37

What does Availability mean in the CIA model?

Answer 37

Protections against denying authorized parties access to information when needed

Question 38

What is the Opposite of Availability in the CIA model?

Answer 38

Destruction

Question 39

What is an example of a Data Integrity Failure in the CIA model?

Answer 39

Web Page Alteration

Question 40

What does

Least Privilege

meanin the Cornerstone Concept section?

Answer 40

A user should only have the bare minimum Authorization to do his job and no more.

Question 41

What does the phrase

Need to Know

mean?

Answer 41

Even if the user has the privilege to do something, it doe not mean that he needs to know it because of his job.

Question 42

What is more granular?

Need to Know

or

Least Privilege?

Answer 42

Need to Know

Question 43

What does Defense in Depth mean in the Cornerstone Concepst section?

Answer 43

A Layered Defense that reduces the risk of a single point of failure.

Question 43

When discussing policy, the exam will use words like Mandatory (compulsory) or Discretionary. Best Practices are usually

Answer 43

discretionary but if you decide not to follow them, you better have a good reason.

Question 43

Do not confuse the Data Owner with a person who owns his own data.

Answer 43

The Data Owner is responsible for ensuring the data is protected. A user who owns his own data has read/write access.

Question 44

Memory Device: Quantitative –

Answer 44

Quantity – Hard Numbers

Question 45

When human life is at risk,

Answer 45

practitioners must weigh those consequences very high.

Question 46

What are the three parts to teh ISC Code of Ethics?

Answer 46

Preamble: Introduction

Canons: Mandatory and Applied in order

Guidance: Advisory

Question 46

Always choose the most ethical answer

Answer 46

in order of the canons.

Question 47

What is Ethics?

Answer 47

Ethics is doing what is morally right

Question 49

What are the ISC Code of Ethics Canons in order?

Answer 49

1: Protect society, the commonwealth, and the infrastructure.
2: Act honorably, honestly, justly, responsibly, and legally.
3: Provide diligent and competent service to principals.
4: Advance and Protect the profession.

Question 50

What does IAAA stand for?

Answer 50

Identity

Authentication

Authorization

Accountability

Question 51

What is an example of an Identity in the IAAA model?

Answer 51

Username

Question 52

What is an example of Authorized Use in the IAAA model?

Answer 52

Regular users can see their own processes but cannot see the password file.

Question 53

What does Authorization mean in the IAAA model?

Answer 53

Permissions that the identity can perform an action on a system;

Question 54

What does Nonrepudiation mean?

Answer 54

Users cannot deny actions identified through Accountability procedures within the IAAA framework.

Identity is validated through Authentication transactions.

Integrity of the system is validated with Accountability (through logging and audit of transactions).

Question 55

“To Repudiate” means

Answer 55

to deny

Question 56

What are three examples of Accountability in the IAAA model?

Answer 56

Logging

Audit

Sanctions.

Question 57

What is meant by Authentication in the IAAA model?

Answer 57

The process of proving the identity claim; Ex - password

Question 57

What is an example of an authentication (Identity Claim) response?

Answer 57

Password

Question 58

What is Accountability in the IAAA model?

Answer 58

Ensuring that authorizations have not been violated by examining computer transactions.

Question 60

What is an Identity in the IAAA model?

Answer 60

Identitiy Is a claim of personhood or role (Rick or Admin)

Question 61

Name two things that

Standards

help with the business

Answer 61

1 - They lower the Total Cost of Ownership (TCO).

2 - They support disaster recovery.

Question 62

What is the name of the

informal rule

used to describe

**Due Care **

in the Information Security Governance section?

Answer 62

Prudent Man Rule

Question 63

In the Information Security Governance section, what are three sources for

Best Practices?

Answer 63

1: NIST
2: NSA
3: SANS

Question 64

What is a

Policy

fromt the Information Security Governance section?

Answer 64

High-level management directives.

Question 65

What is a Guideline in the Information Security Governance section?

Answer 65

A discretionary piece of useful advice; a recommendation; especially good for novice users.

Question 65

What does the word **Baselines **mean in the Information Security Governance section?

Answer 65

Discretionary but Uniform ways of implementing a safeguard.

Question 66

In the Information Security Governance section, is ignorance an acceptable excuse for non-compliance?

Answer 66

An organization must be in compliance with all laws and regulations that apply to it. Ignorance of any law is never a valid excuse for breaking it.

Question 67

What is Due Care in the Information Security Governance section?

Answer 67

Actions that a reasonable man would do.

Question 68

What does the phrase Information Security Governance mean?

Answer 68

The policies, processes and staffing approved by senior management that make up the organization’s

Information Security Program.

Question 69

What is a

Standard

in the Information Security Governance section?

Answer 69

Describes a specific and Mandatory use of a technology; usually hardware or software.

Question 70

In the Information Security Governance, If you lose some PII and

cannot demonstrate Due Care

you are

Answer 70

Grossly Negligent

Question 71

What does the phrase Gross Negligence mean in the Information Security Governance section?

Answer 71

It is the opposite of Due Care.

Question 72

What is an Issue-Specific Policy in the Information Security Governance section?

Answer 72

It is one of three policy types (Program - Issue - System) that govern security rules for a category of activity and not the overall program and not s system. Ex: Email Policy, Email Privacy Policy

Question 73

What is a

Program Policy

in the Information Security Governance section?

Answer 73

It is one of three types of policies (Program- Issue - System) that creates an organization’s computer security program.

Question 74

What are

Procedures

in the Information Security governance section?

Answer 74

Mandatory, Step-by-Step Guides for accomplishing tasks.

They are low-level and specific.

Question 75

What is the difference between a

Data Owner

vs

a Person Who Owns His Own Data

in the Information Security Governance section?

Answer 75

The Data Owner is responsible for ensuring the data is protected.

A User Who Owns His Own Data has read/write access.

Question 77

What are the

three Policy Types

from the Information Securitiy Governance section?

Answer 77

1: Program Policy
2: Issue-Specific Policy
3: System Specific Policy

Question 77

What are the five tools you can use to govern Information Security?

Answer 77

1 - Policy: High Level Mgt Directives (Mandatory)

2 -Procedures: Instructions for completing a task (Mandatory)

3 - Standard: A specific use for a technology (Mandatory)

4 - Guideline: Advice (Discretionary)

5 - Baseline A Starting point (Discretionary)

Question 79

What is a Best Practice in the Information Security Governance section?

Answer 79

It is a consensus of the best way to protect CIA (Confidentiality, Integrity, and Availability).

Question 80

What does the phrase Due Diligence mean in the Information Security Governance section?

Answer 80

It is a formal process for the management of Due Care..

Question 80

What is a good way to demonstrate

Due Care and Due Diligence

in the Information Security Governance section?

Answer 80

Following Best Practices

Question 81

What is an example of a

System-Specific Policy

Answer 81

File Server Policy, Web Server Policy

Question 82

What does Outsourcing mean?

Answer 82

Using a third party to provide IT support services which were previously performed in-house.

Question 83

What does Offshoring mean?

Answer 83

Outsourcing to another country

Question 84

What does

Privacy

mean?

Answer 84

The protection of Personally Identifiable Information (PII).

The protection of this kind of information must be assured.

Question 85

Qualitative Risk Assessment vs Quantitative Risk Analysis

Answer 85

More subjective but easier to calculate

Question 86

In a Qualitative Risk Assessment, how is a

Risk Matrix

used?

Answer 86

Uses a quadrant grid to map the likelihood

(Rare – Unlikely – Possible – Likely – Certain)

of a Risk occurring against the Impact

(Insignificant – Minor – Moderate – Major – Catastrophic).

Question 87

Which is

easier to calculate?

Qualitative Risk Analysis

or

Quantitative Risk Analysis

Answer 87

Qualitative Risk Analysis

Question 88

What is the

formula

associated with

Quantitative Risk Analysis?

Answer 88

Annual Loss Expectancy (ALE) formula

Question 89

What does the phrase

Qualitative Risk Analysis

mean?

Answer 89

Uses approximate values to calculate Risk

Question 90

What are the four benefits of using a

Risk Matrix

for

Qualitative Analysis

Answer 90

1: Distinguish between High-Likelihood/Low-Consequences and High-Consequences/Low-Likelihood risks which have the same risk rating value.
2: Graphically display risks, thus makes them easier to analyse
3: Select risks for prioritising and further actions
4: Communicate risk

Question 91

What does

Quantitative Risk Analysis

mean?

Answer 91

Uses hard numbers to calculate Risk

Question 92

Which is more

objective?

Quantitative Risk Analysis

or

Qualitative Risk Analysis

Answer 92

**Quantitative Risk Analysis **

Question 93

What is a Threat?

Answer 93

A potential harmful occurrence like earthquakes, cyber espionage, etc.

Question 93

What is a Risk?

Answer 93

A connection between a Threat and a Vulnerability.

Threat X Vulnerability

Security practitioners have assigned arbitrary values to Threats and Vulnerabilities to assess risk. Use any scale as long as you stay consistent.

Question 96

What is a Vulnerability?

Answer 96

Weaknesses in the defenses that can cause harm.

Question 98

What is the Risk formula?

Answer 98

Threat X Vulnerability

Question 99

What does Impact mean when calculating Risk?

Answer 99

An evaluation of the consequences if the Threat is realized (Somebody or something leverages the Vulnerability).

Question 100

What is the

impact

when Human life is on the line in the Risk Analysis section?

Answer 100

Impact is always very high

Question 100

What does the acronym TCO stand for in the Risk Analysis section?

Answer 100

Total Cost of Ownership

Question 102

What is an **Asset **in Risk Analysis?

Answer 102

Valuable company resources like Data, systems, people, property, IP, etc.

Question 103

In calculating Risk, do security practioners use arbitrary values or precise valuses for Threats and Vulnerabilities?

Answer 103

Arbitrary

Use any scale as long as you stay consistent.

Question 104

According to NIST, what are the

9 Steps

in the process to asses

Risk

in an organization?

Answer 104

1: System Characterization
2: Threat identification
3: Vulnerability Identification
4: Control Analysis
5: Likelihood Determination
6: Impact Analysis
7: Risk Determination
8: Control recommendations
9: Results Documentation

Question 105

What are two ways to measure Impact in the Risk Analysis section?

Answer 105

Sometimes those consequences are in terms of money lost (Cost).

Sometimes those consequences are more moral (human lives lost).

Question 109

In the Risk Analysis Framework section, What does PCI stand for?

Answer 109

Payment Card Industry.

Question 110

Who does the Payment Card Industry (PCI) framework protect?

Answer 110

Vendors who use credit cards.

Question 111

What does the acronym OCTAVE stand for in the Risk Analysis Framework section?

Answer 111

Operationally

Critical

Threat

Asset and

Vulnerability

Evaluation

Question 112

Who built OCTAVE in the Risk Analysis Frameworks section?

Answer 112

Carnegie Mellon

Question 112

What are the 11 areas that ISO 17799 focuses on in the Risk Analysis Frameworks section?

Answer 112

1: Policy
2: Organization of Information Security
3: Asset Management
4: Human Resource Security
5: Physical and Environmental Security
6: Communications and Operational Management
7: Access Control
8: Information Systems Acquisition, development and maintenance
9: Information Security Incident Management
10: Business Continuity Management
11: Compliance

Question 113

What is ISO in the Risk Analysis Frameworks

Answer 113

An International Organization for Standardization

Question 113

Why did ISO renumber ISO 17799 to **ISO 27002 **in the Risk Analysis Frameworks section?

Answer 113

Consistency

Question 114

What does ISO 27001 describe in the Risk Analysis Frameworks section?

Answer 114

a process for auditing (requirements) those best practices

Question 115

What does teh acronym COBIT stand for in the Risk Analysis Frameworks section?

Answer 115

Control

Objectives for

Information and related

Technologies

Question 116

What are the three phases in OCTAVE from the Risk Analysis Frameworks

Answer 116

1: Identify Staff knowledge, assets and Threats.
2: Identify vulnerabilities and evaluate safeguards.
3: Conduct Risk Analysis and develop risk mitigation strategy.

Question 116

What was ISO 17799 renumbered to in the Risk Analysis Frameworks section?

Answer 116

**ISO 27002 **

Question 116

What does ISO 27002 describe in the Risk Analysis Frameworks section?

Answer 116

Information Security Best Practices (techniques)

Question 116

Who built COBIT in the Risk Analysis Frameworks section?

Answer 116

The Information Systems Audit and Control Association (ISACA)

Question 118

How many phases in OCTAVE from the Risk Analysis Frameworks section?

Answer 118

3

Question 119

Who sponsors the Information Technology Infrastrucre Libray (ITIL) in the Risk Analysis Frameworks section?

Answer 119

The UK Government

Question 120

What does the acronym ITIL stand for in the Risk Analysis Frameworks section?

Answer 120

Information Technology Infrastructure Library

Question 120

What are the five service management practices in the

Information Technology Infrastructure Library (ITIL)

from the Risk Analysis Frameworks section?

Answer 120

1: Service Strategy
2: Service Design
3: Service Transition
4: Service Operations
5: Continual Service Improvement

Question 121

What are the Four Phases in the COBIT Risk Analysis Framework?

Answer 121

1: Plan and Organize
2: Acquire and Implement
3: Deliver & Support
4: Monitor& Evaluate

Question 122

How many areas does ISO 17799 focus on in the Risk Analysis Frameworks section?

Answer 122

11

Question 125

What does

Mitigate

mean in the Risk Choices section?

Answer 125

Lower the risk to an acceptable level

Question 126

What does

Transfer

mean in the Risk Choices section?

Answer 126

Insurance Model - Have somebody else assume the risk

Question 127

What are the five Risk Analysis choices?

Answer 127

Acceptance

Mitigation

Eliminate

Transfer

Avoid

Question 128

What are three examples where you cannot

Accept

the Risk in the Risk Choices section?

Answer 128

Human safety

Laws

Regulations

Question 129

What does

Acceptance

mean in the Risk Choices section?

Answer 129

The cost of doing anything else would be more expensive then the cost associated with the risk itself.

There are some cases (Human safety, Laws, Regulations) where it is not possible to accept the risk.

Question 129

What does

Eliminate

mean in the Risk Choices section?

Answer 129

Remove the risk entirely; do not allow

Question 130

What does

Avoidance

mean in the Risk Choices section?

Answer 130

If the project is too risky, don’t do it.

Compare the Annual Loss Expectancy (ALE) to the ROI after Risk Mitigation. If the ALE is higher, avoid the project.

Question 132

What is a

Data Owner

in the ROLES AND RESPONSIBILITIES section?

Answer 132

Employee responsible for ensuring that specific data is protected;

determines the sensitivity label and the frequency of backup.

He is not the custodian.

Question 132

What does the

User

in the ROLES AND RESPONSIBILITIES section?

Answer 132

They are the people that must follow the policy, procedures, and standards set by the Information Security Program in their day-to-day jobs.

Question 133

What does

Senior Management

do in the ROLES AND RESPONSIBILITIES section?

Answer 133

Creates the information security program

Question 134

What does

Security Awareness

mean?

Answer 134

Changes user behavior;

users already know how to do something and awareness might make them change how they are doing it.

Question 134

What is a

Custodian

in the ROLES AND RESPONSIBILITIES section?

Answer 134

Perform hands-on asset protection:

Backups, restoration, patching, A/V Configuration, etc.

They follow orders, they do not make policy.

Question 136

What does

Security Training

mean?

Answer 136

Provides a skill set; teaches a user how to do something.

Question 137

14: What was ISO 17799 renamed as??

A: BS 7799-0-1.
B: ISO 27000.
C: ISO 27001.
D: ISO 27002.

Answer 137

D: ISO 27002.

Question 140

10: Which of the following describes the duty of the Data Owner?

A: Patch systems.
B: Report suspicious activity.
C: Ensure their files are backed up.
D: Ensure data has proper security labels.

Answer 140

D: Ensure data has proper security labels.

Question 141

1: Which of the following would be an example of a Policy Statement?

A: Protect PII by hardening servers.
B: Harden Windows 7 by first installing the pre-hardened OS image.
C: You may create a strong password by choosing the first letter of each word in a sentence and mixing in numbers and symbols.
D: Download the CISecurity Windows benchmark and apply it.

Answer 141

A: Protect PII by hardening servers.

Question 142

11: Which control framework has 34 processes across four domains?

A: COSO.
B: COBIT.
C: ITIL.
D: OCTAVE.

Answer 142

B: COBIT.

Question 143

12: What is the difference between a standard and a guideline?

A: Standards are compulsory and guidelines are mandatory.
B: Standards are recommendations and guidelines are requirements.
C: Standards are requirements and guidelines are recommendations.
D: Standards are recommendations and guidelines are optional.

Answer 143

C: Standards are requirements and guidelines are recommendations.

Question 144

2: Which of the following describes the money saved by implementing a security control?

A: Total Cost of Ownership (TCO).
B: Asset Value (AV).
C: Return on Investment (ROI).
D: Control Savings.

Answer 144

C: Return on Investment (ROI).

Question 145

13: Which phase of OCTAVE identifies vulnerabilities and safeguards?

A: Phase 1.
B: Phase 2.
C: Phase 3.
D: Phase 4.

Answer 145

B: Phase 2.

Question 146

9: Which of the following steps would be taken while conducting a Qualitative Risk Assessment?

A: Calculate the Asset Value.
B: Calculate the return on Investment.
C: Complete the Risk Analysis Matrix.
D: Complete the ALE.

Answer 146

C: Complete the Risk Analysis Matrix.

Question 147

15: Which of the following ethical actions is the most important?

A: Act legally.
B: Protect Society.
C: Advance and Protect the profession.
D: Provide diligent service.

Answer 147

B: Protect Society.

Question 148

4: Which of the following proves an identity claim?

A: Authentication.
B: Authorization.
C: Accountability.
D: Auditing.

Answer 148

A: Authentication.

Question 149

3: Which of the following is an example of a program policy?

A: Establish the Information Security Program.
B: Email Policy.
C: Application Development Policy.
D: Server Policy.

Answer 149

A: Establish the Information Security Program.

Question 150

5: Which of the following protects against unauthorized changes to data?

A: Confidentiality.
B: Integrity.
C: Availability.
D: Alteration.

Answer 150

B: Integrity.