Domain 3 Flashcards
Which of the following formulas is used to calculate Risk?
a) Risk {due to a threat} = Vulnerability x Threat {to that vulnerability}
b) Risk {due to a vulnerability} = Vulnerability x Threat {to that vulnerability}
c) Risk {due to a threat} = Threat x Vulnerability {to that threat}
d) Risk {due to a vulnerability} = Threat x Vulnerability {to that threat}
Risk {due to a threat} = Threat x Vulnerability {to that threat}
In the formula displayed below, what does ‘Vulnerability’ represent? Risk = Threat x Vulnerability
a) Vulnerability to that specific threat
b) Vulnerability to threats in general
c) Vulnerability to unknown threats
d) Vulnerability to known threats
Vulnerability to that specific threat
Which of the following choices specifies a certain way in which something should be done or a certain brand or type of equipment that must be used?
a) Standard
b) Baseline
c) Policy
d) Procedure
Standard
After you install a well-configured firewall, a web site inside your perimeter is defaced by an outside attack. Which security principal has NOT been addressed?
a) Defense-in-Depth
b) Deny all, then allow as needed
c) Least possible privilege
d) Know your system
Defense-in-Depth
When a threat connects to its vulnerability, what is the result?
a) Reduced risk
b) Possible system compromise
c) Increased impact
d) Increased uncertainty
Possible system compromise
Which of the following is the most common defense tactic?
a) Establishing a strong security policy
b) Applying software patches as soon as possible
c) Deploying perimeter defenses such as firewalls
d) Replacing hubs with switches
Deploying perimeter defenses such as firewalls
The Risk Management option to “accept the risk” is most reasonable after which of the following steps has been taken?
a) Perform penetration testing
b) Identify the probable threats
c) Deploy a perimeter defense
d) Mitigate or reduce the risk
Mitigate or reduce the risk
Of the following, which best describes the ‘insurance model’ of Risk Management?
a) Pass the risk over to a third-party.
b) Redirect the cost of insurance into Risk Avoidance efforts.
c) Follow best practices to insure security.
d) Ignore the risk
Pass the risk over to a third-party
In the formula displayed below, what does the “Exposure Factor” represent? Single Loss Expectancy = Asset Values X Exposure Factor
a) The degree to which an asset is vulnerable to attack.
b) The percentage of loss a threat event would have on the asset.
c) The cost to reduce the risk that an asset is subject to.
d) The likelihood that a threat would escalate into an event.
The percentage of loss a threat event would have on the asset
Which of the following are the two common approaches to risk assessment?
a) Proactive and Reactive
b) In-house and vendor provided
c) Open Source and Closed Source
d) Qualitative and Quantitative
Qualitative and Quantitative
Which of the following methods of risk assessment is the more valuable tool for business decision-making?
a) The Legal exposure method
b) The Human resources method
c) The Quantitative method
d) The Heuristic method
The Quantitative method
Which of the following statements is TRUE?
a) Risk Management is as much about Security as anything.
b) Threats are as much about Risk Management as anything.
c) Vulnerabilities are as much about Security as anything.
d) Security is as much about Risk Management as anything.
Security is as much about Risk Management as anything
Of the following, which best describes the ‘insurance model’ of Risk Management?
a) Redirect the cost of insurance into Risk Avoidance efforts.
b) Follow best practices to insure security.
c) Pass the risk over to a third-party.
d) Escrow adequate funds to insure timely Risk Recovery.
Pass the risk over to a third-party
Which approach to Risk Assessment tries to assign an objective numeric value to describe the degree of risk?
a) The Qualitative approach
b) The Heuristic approach
c) The Elliptical Curve approach
d) The Quantitative approach
The Quantitative approach
Which approach to risk assessment focuses on the more intangible values to describe the degree of risk?
a) The Qualitative approach
b) The Quantitative approach
c) The Ephemeral approach
d) The Consensus approach
The Qualitative approach
A security incident can be thought of in which of the following terms?
a) Confidentiality, integrity and portability
b) Confidentiality, integrity and availability
c) Integrity, privacy and accountability
d) Availability, accountability and authority
Confidentiality, integrity and availability
Why is it that a firewall alone cannot provide acceptable security?
a) Threats can come in different forms and sources.
b) A firewall can be compromised or bypassed.
c) A firewall cannot defend against most malware.
d) Threats can come from malicious insiders.
Threats can come in different forms and sources
Which of the following is MOST required in order to reduce or prevent vulnerabilities?
a) You must know about the vulnerabilities.
b) You must have proper authorization.
c) Authenticated vendor patches, hot fixes or alerts
d) Consensus from top management
You must know about the vulnerabilities
Which of the following is NOT one of the three Risk Choices?
a) Accept the risk as is.
b) Mitigate or reduce the risk.
c) Transfer the risk.
d) Reject the risk as is.
Reject the risk as is
Which of the following is required before deciding between accepting, mitigating, or transferring a risk?
a) Our legal department should be consulted.
b) The threat should first be mitigated or reduced.
c) We should understand the risk and how it affects us.
d) Eliminate all uncertainty associated with the risk.
We should understand the risk and how it affects us
Which of the following is NOT a benefit of security awareness?
a) Measurable reduction in unauthorized actions attempted by personnel
b) Increases the effectiveness of protection controls
c) Reduces the layers of ‘defense-in-depth’ to a more manageable level
d) Helps to avoid fraud, waste and abuse of computing resources
Reduces the layers of ‘defense-in-depth’ to a more manageable level
Which of the following terms is best defined by the statement below? ‘General, collective awareness of an organization’s personnel of the importance of security and security controls. ‘
a) Security Posture
b) Security Awareness
c) Security Management
d) Security Measurement
Security Awareness
Regarding ‘Data Classification Roles’, an ‘Owner’ can be described any of the following, except one. Which of the following does NOT describe a data ‘owner’?
a) An executive or manager of an organization
b) Responsible for the asset of information that must be protected
c) Has the final corporate responsibility of data protection
d) Verifies the data’s integrity
Verifies the data’s integrity
When talking about ‘Data Classification Roles’, a ‘custodian’ is concerned with all of the following except which one?
a) Running regular backups and routinely testing the validity of the backup.
b) Performing data restoration from the backups when necessary.
c) Maintaining those retained records in accordance with the established information classification policy.
d) Determining the data’s value to the organization and the threshold beyond which obsolete data is purged.
Determining the data’s value to the organization and the threshold beyond which obsolete data is purged
Which of the following is NOT one of the ‘Data Classification Roles’?
a) Owner
b) Developer
c) User
d) Custodian
Developer
Integrity includes all of the following characteristics except which one?
a) Prevent the intentional or unintentional unauthorized disclosure of a message’s contents.
b) Modifications are not made to data by unauthorized personnel or processes.
c) Unauthorized modifications are not made to data by authorized personnel or processes.
d) Data is internally and externally consistent.
Prevent the intentional or unintentional unauthorized disclosure of a message’s contents
How can ‘Confidentiality, Integrity, and Availability (C. I. A. ) ‘ also be expressed?
a) Security Effectively Applied (S. E. A. )
b) Disclosure, Alteration, and Destruction (DAD. )
c) Anonymity, Precaution, and Evasion (A. P. E. )
d) Firewalls, Backups, Integrity (F. B. I. )
Disclosure, Alteration, and Destruction (DAD. )
Which of the following is the central characteristic of accountability?
a) The rights and permissions granted to an individual (or process) , which enable access to a computer.
b) Reliable and timely access to data or computing resources by the appropriate personnel.
c) A system’s ability to determine the actions and behavior of a single individual within a system.
d) Detailed steps to be followed by users, system operations personnel or others to accomplish a specific task.
A system’s ability to determine the actions and behavior of a single individual within a system
One way to describe ‘policies’ is to say that they are a collection of senior management’s directives. Which of the following would NOT be a senior management directive?
a) Determine the products and components to be used.
b) Create a computer security program.
c) Establish the goals of the computer security program.
d) Assign responsibilities.
Determine the products and components to be used
When talking about vulnerability there are certain requirements that turn a condition into a vulnerability. Which of the following is NOT a requirement of vulnerability?
a) Weaknesses that allow threats to happen
b) Must be coupled with a threat to have an impact
c) Malicious damage to a system or data
d) Can be prevented (if you know about them)
Malicious damage to a system or data
Error checking is an example of which of the following control measures?
a) Implementing strong integrity measures
b) Implementing strong availability measures
c) Implementing strong confidentiality measures
d) Implementing data validation
Implementing strong integrity measures
Confidentiality, integrity, and availability can also be expressed by which of the following choices?
a) Disclosure, Alteration, and Destruction
b) Denial of Service, Attenuation, and Destruction
c) Denial of Service, Alteration, and Disclosure
d) Disclosure, Attenuation, and Denial of Service
Disclosure, Alteration, and Destruction
Which of the following labels is NOT commonly used by the government?
a) Top Secret
b) Confidential
c) Sensitive but Unclassified
d) Trade Secret
Trade Secret
Denial of Service attacks, hostile code, EMI, and power outages are example of threats that could affect which of the following choices?
a) Availability
b) Integrity
c) Confidentiality
d) Visibility attacks
Availability
There are four categories of authentication. Which of the following choices is NOT a category?
a) Someplace you are
b) Something you know
c) Something you have
d) Something you get
Something you get
Which type of data classification is given the highest level of protection?
a) Unclassified
b) Sensitive but Unclassified
c) Confidential
d) Top Secret
Top Secret
Which of the following choices is the first step when creating a data classification process?
a) Create an enterprise awareness program
b) Identify the administrator
c) Specify the termination procedures
d) Specify the controls
Identify the administrator
Which of the following choices is NOT a responsibility of a data custodian?
a) Provides hands on management
b) Administer the classification scheme
c) Makes critical decisions
d) Running regular backups
Makes critical decisions
Which of the following choices defines the strategic goals for the organizations?
a) Procedure
b) Guideline
c) Standard
d) Policy
Policy
