Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

SP4 > Domain 1 - Security and Risk Management > Flashcards

Domain 1 - Security and Risk Management Flashcards

1
Q
  1. Within the realm of IT security , which of the following combinations best defines risk?

A. Threat coupled with a breach
B. Threat coupled with a vulnerability
C. Vulnerability coupled with an attack
D. Threat coupled with a breach of security

A

B

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q
  1. When determining the value of an intangible asset which is the BEST approach?

A. Determine the physical storage costs and multiply by the expected life of the company
B. With the assistance of a finance accounting professional determine how much profit the asset has returned
C. Review the depreciation of the intangible asset over the past three years
D. Use the historical acquisition or development cost of the intangible asset

A

B

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q
  1. Qualitative risk assessment is earmarked by which of the following?

A. Ease of implementation and it can be completed by personnel with a limited understanding of the risk assessment process
B. Can be completed by personnel with a limited understanding of the risk assessment process and uses detailed metrics used for calculation of risk
C. Detailed metrics used for calculation of risk and ease of implementation
D. Can be completed by personnel with a limited understanding of the risk assessment process and detailed metrics used for the calculation of risk.

A

A

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q
  1. Single loss expectancy (SLE) is calculated by using:

A. Asset value and annualized rate of occurrence (ARO)
B. Asset value, local annual frequency estimate (LAFE), and standard annual frequency estimate (SAFE)
C. Asset value and exposure factor
D. Local annual frequency estimate and annualized rate of occurrence

A

C

*The formula for calculating SLE is SLE = asset value (in $) X exposure factor (loss in successful threat exploit, as %).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q
  1. Consideration for which type of risk assessment to perform includes all of the following:

A. Culture of the organization, likelihood of exposure and budget
B. Budget, capabilities of resources and likelihood of exposure
C. Capabilities of resources, likelihood of exposure and budget
D. Culture of the organization, budget, capabilities and resources

A

D

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q
  1. Security awareness training includes:

A. Legislated security compliance objectives
B. Security roles and responsibilities for staff
C. The high-level outcome of vulnerability assessments
D. Specialized curriculum assignments, coursework and an accredited institution

A

B

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q
  1. What is the minimum and customary practice of responsible protection of assets that affects a community or societal norm?

A. Due diligence
B. Risk mitigation
C. Asset protection
D. Due care

A

D

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q
  1. Effective security management:

A. Achieves security at the lowest cost
B. Reduces risk to an acceptable level
C. Prioritizes security for new products
D. Installs patches in a timely manner

A

B

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q
  1. Availability makes information accessible by protecting from:

A. Denial of services, fires, floods, hurricanes, and unauthorized transactions
B. Fires, floods, hurricanes, unauthorized transactions and unreadable backup tapes
C. Unauthorized transactions, fires, floods, hurricanes and unreadable backup tapes
D. Denial of services, fires floods, and hurricanes and unreadable backup tapes.

A

D

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q
  1. Which phrase best defines a business continuity/disaster recover plan?

A. A set of plans for preventing a disaster.
B. An approved set of preparations and sufficient procedures for responding to a disaster.
C. A set of preparations and procedures for responding to a disaster without management approval.
D. The adequate preparations and procedures for the continuation of all organization functions.

A

D

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q
  1. Which of the following steps should be performed first in a business impact analysis (BIA)?

A. Identify all business units within an organization
B. Evaluate the impact of disruptive events
C. Estimate the Recovery Time Objectives (RTO)
D. Evaluate the criticality of business functions

A

A

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q
  1. Tactical security plans are BEST used to:

A. Establish high-level security policies
B. Enable enterprise/entity-wide security management
C. Reduce downtime
D. Deploy new security technology

A

D

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q
  1. Who is accountable for implementing information security?

A. Everyone
B. Senior management
C. Security officer
D. Data owners

A

C

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q
  1. Security is likely to be most expensive when addressed in which phase?

A. Design
B. Rapid prototyping
C. Testing
D. Implementation

A

D

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q
  1. Information systems auditors help the organization:

A. Mitigate compliance issues
B. Establish an effective control environment
C. Identify control gaps
D. Address information technology for financial statements

A

C

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q
  1. The Facilitated Risk Analysis Process (FRAP)

A. makes a base assumption that a broad risk assessment is the most efficient way to determine risk in a system, business segment, application or process.
B. makes a base assumption that a narrow risk assessment is the most efficient way to determine risk in a system, business segment, application or process.
C. makes a base assumption that a narrow risk assessment is the least efficient way to determine risk in a system, business segment, application or process.
D. makes a base assumption that a broad risk assessment is the least efficient way to determine risk in a system, business segment, application or process.

A

B

17
Q
  1. Setting clear security roles has the following benefits:

A. Establishes personal accountability, reduces cross-training requirements and reduces departmental turf battles
B. Enables continuous improvement, reduces cross-training requirements and reduces departmental turf battles
C. Establishes personal accountability, establishes continuous improvement and reduces turf battles
D. Reduces departmental turf battles, Reduces cross-training requirements and establishes personal accountability

A

C

18
Q
  1. Well-written security program policies are BEST reviewed:

A. At least annually or at pre-determined organization changes
B. After major project implementations
C. When applications or operating systems are updated
D. When procedures need to be modified

A

A

19
Q
  1. An organization will conduct a risk assessment to evaluate
    A. Threats to its assets, vulnerabilities not present in the environment, the likelihood that a threat will be realized by taking advantage of an exposure, the impact that the exposure being realized will have on the organization, the residual risk
    B. Threats to its assets, vulnerabilities present in the environment, the likelihood that a threat will be realized by taking advantage of an exposure, the impact that the exposure being realized will have on another organization, the residual risk
    C. Threats to its assets, vulnerabilities present in the environment, the likelihood that a threat will be realized by taking advantage of an exposure, the impact that the exposure being realized will have on the organization, the residual risk
    D. threats to its assets, vulnerabilities present in the environment, the likelihood that a threat will be realized by taking advantage of an exposure, the impact that the exposure being realized will have on the organization, the total risk
A

C

20
Q
  1. A security policy which will remain relevant and meaningful over time includes the following:

A. Directive words such as shall, must, or will, technical specifications and is short in length
B. Defined policy development process, short in length and contains directive words such as shall, must or will
C. Short in length, technical specifications and contains directive words such as shall, must or will
D. Directive words such as shall, must, or will, defined policy development process and is short in length

A

D

21
Q
  1. The ability of one person in the finance department to add vendors to the vendor database and subsequently pay the vendor violates which concept?

A. A well-formed transaction
B. Separation of duties
C. Least privilege
D. Data sensitivity level

A

B

22
Q
  1. Collusion is best mitigated by:

A. Job rotation
B. Data classification
C. Defining job sensitivity level
D. Least privilege

A

A

23
Q
  1. Data access decisions are best made by:

A. User managers
B. Data owners
C. Senior management
D. Application developer

A

B

24
Q
  1. Which of the following statements BEST describes the extent to which an organization should address business continuity or disaster recovery planning?

A. Continuity planning is a significant organizational issue and should include all parts or functions of the company.
B. Continuity planning is a significant technology issue and the recovery of technology should be its primary focus.
C. Continuity planning is required only where there is complexity in voice and data communications.
D. Continuity planning is a significant management issue and should include the primary functions specified by management.

A

A

25
Q
  1. Business impact analysis is performed to BEST identify:

A. The impacts of a threat to the organization operations.
B. The exposures to loss to the organization.
C. The impacts of a risk on the organization.
D. The cost efficient way to eliminate threats.

A

B

26
Q
  1. During the risk analysis phase of the planning, which of the following actions could BEST manage threats or mitigate the effects of an event?

A. Modifying the exercise scenario.
B. Developing recovery procedures.
C. Increasing reliance on key individuals
D. Implementing procedural controls

A

D

27
Q
  1. The BEST reason to implement additional controls or safeguards is to:

A. deter or remove the risk.
B. identify and eliminate the threat.
C. reduce the impact of the threat
D. identify the risk and the threat.

A

C

28
Q
  1. Which of the following statements BEST describes organization impact analysis?

A. Risk analysis and organization impact analysis are two different terms describing the same project effort.
B. A organization impact analysis calculates the probability of disruptions to the organization.
C. A organization impact analysis is critical to development of a business continuity plan.
D. A organization impact analysis establishes the effect of disruptions on the organization.

A

D

29
Q
  1. The term “disaster recovery” refers to the recovery of:

A. organization operations.
B. technology environment.
C. manufacturing environment.
D. personnel environments.

A

B

30
Q
  1. Which of the following terms BEST describes the effort to determine the consequences of disruptions that could result from a disaster?

A. Business impact analysis.
B. Risk analysis.
C. Risk assessment.
D. Project problem definition

A

A

31
Q
  1. The elements of risk are as follows:

A. Natural disasters and manmade disasters
B. Threats, assets and mitigating controls
C. Risk and business impact analysis
D. business impact analysis and mitigating controls

A

B

32
Q
  1. Which of the following methods is not acceptable for exercising the business continuity plan?

A. Table-top exercise.
B. Call exercise.
C. Simulated exercise.
D. Halting a production application or function.

A

D

33
Q
  1. Which of the following is the primary desired result of any well-planned business continuity exercise?

A. Identifies plan strengths and weaknesses.
B. Satisfies management requirements.
C. Complies with auditor’s requirements.
D. Maintains shareholder confidence

A

A

34
Q
  1. A business continuity plan is best updated and maintained:

A. Annually or when requested by auditors.
B. Only when new versions of software are deployed.
C. Only when new hardware is deployed.
D. During the configuration and change management process.

A

D

35
Q
  1. Which of the following is MOST important for successful business continuity?

A. Senior leadership support.
B. Strong technical support staff.
C. Extensive wide are network infrastructure.
D. An integrated incident response team.

A

A

36
Q
  1. A service’s recovery point objective is zero. Which approach BEST ensures the requirement is met?

A. RAID 6 with a hot site alternative.
B. RAID 0 with a warm site alternative
C. RAID 0 with a cold site alternative
D. RAID 6 with a reciprocal agreement.

A

A

37
Q
  1. The (ISC)2 code of ethics resolves conflicts between canons by:

A. there can never be conflicts between canons.
B. working through adjudication.
C. the order of the canons.
D. vetting all canon conflicts through the board of directors.

A

C

SP4 (9 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions