Domain 3 - Information Security Governance and Risk Management

Question 1

2. The basic component of a General Program Policy consists of four basic elements. Among these elements are Purpose or topic, Scope, and Responsibilities. Which of the following is the fourth component?

a. Thesis
b. Provisions
c. Compliance
d. Supplemental information

Answer 1

Explanation: Answer c is the correct answer, and can be found in the cited reference. Answer a is an element found in a Topic specific policy, Answer b is sometimes used by policy writers to explain why policy was written and answer d is usually found in an application-specific policy.

Question 2

15. Making computer users aware of their security responsibilities and presenting them with the correct practices helps change their behavior. This process of raising end-user consciousness is part of a:

a. In-house education program
b. A new product training course
c. Employee awareness program
d. Skill development

Answer 2

Explanation: Answer c is the correct answer, and is found in the cited reference Answers a, b and d are related to the overall process of improving end-user use of security systems, but the mainly focus on learning to use specific tools, where awareness is a process in behavior modification.

Question 3

28.  Agreements used to give notice that information is confidential or secret to employees and other third parties is termed as either a confidentiality agreement or 
\:
a.	Employment agreement 
b.	Condition of employment
c.	Non-disclosure agreement
d.	Top-secret clearance

Answer 3

Explanation: Answer c is the correct answer and can be found in the ISO 17799. Answer a is generally used with senior level executives and employees with access to competitive advantage information. Answer b might find a non-disclosure agreement as a requirement for employment. Answer d is a clearance level usually restricted to Department of Defense-type information access.

Question 4

29. What kind of document is a high-level statement of enterprise beliefs, goals, and objectives and the general means for their attainment for a specified subject area?

a. Policy
b. Procedure
c. Standard
d. Guideline

Answer 4

Explanation: Answer a is the correct answer, and can be found in the cited reference. Answer b is mandatory, step-by-step processes required to complete a specific task. Answer c is mandatory actions, devices or methods used to support a policy and answer d is recommended actions, devices or methods that can be adopted but are not mandatory.

Question 5

34. The loss potential that exists as the result of the threat-vulnerability pairs. Reducing either the threat or the vulnerability reduces what?

a. Risk
b. Impact
c. Concern
d. Issue

Answer 5

Explanation: Answer a is correct, and can be found in the cited reference. Answer b is the element in risk analysis that tries to identify what level of damage might occur if a threat were to be successful. Answers c and d are sub-elements of the overall risk definition.

Question 6

39. The ISO 17799 International Standard on Information Security characterizes information security as the preservation of CIA: Confidentiality, Integrity and which of the following?

a. Authenticity
b. Accountability
c. Availability
d. Assurance

Answer 6

Explanation: Answer c is the correct answer, and is taken from the cited reference The other answers are incorrect because they are generally viewed as elements of Integrity.

Question 7

42. The following describes what information security tenant: baseline versions of a product are saved and protected in such a way that they will exist even if something happens to the original version.

a. Change control
b. Version control
c. Software deployment
d. Configuration management

Answer 7

Explanation: Answer d is the correct answer, and can be found in Building Quality Software. Answer a is a process in which system changes are authorized. Answer b is the process used to ensure that all areas have the proper software level or release. Answer c is the process for the orderly distribution of products to the user community.

Question 8

66. The efficient use of resources when attempting to mitigate a business risk is often described as a positive:

a. Operating expense ratio
b. Return on investment
c. Risk Assessment
d. Security Analysis

Answer 8

Explanation: Answer b is the correct answer, and can be found in the reference below. Answer a is a method used to measure management’s ability to control operating expenses. Answer c is a term that represents the assignment of value to assets, threat frequency, and other elements of chance. Answer d is a method to review security controls.

Question 9

96. A possible danger to a system, whether it is a person, thing or event that might exploit a vulnerability of the system is termed as a:

a. Problem
b. Danger
c. Concern
d. Threat

Answer 9

Explanation: Answer d is the correct answer, and is taken from the reference below. Answers a, b and c are incorrect in that they fail to reflect the level of severity a threat poses to a system.

Question 10

99. The characteristic of information being disclosed only to authorized persons, entities, and processes at authorized times and in the authorized manner is know as:

a. Integrity
b. Availability
c. Accountability
d. Confidentiality

Answer 10

Explanation: Answer d is the answer and is found in the Generally Accepted System Security Principles (GASSP). Answer a is the characteristics of being accurate, answer b is the characteristic of information being accessible and answer c is the ability to audit.

Question 11

120. The process of investigating a target environment and the relationships of dangers to the target is known in information security circles as:

a. Value analysis
b. Risk analysis
c. Risk assessment
d. Safeguard checking

Answer 11

Explanation: Answer b is the correct, and is found in the cited reference. Answer a is another form of qualitative risk analysis and answer c is a process to assign a value to assets. Answer d is a post risk analysis process usually found in a vulnerability assessment.

Question 12

124. The absence or weakness of a risk-reducing safeguard is know as a:

a. Uncertainty
b. Detection
c. Exposure
d. Vulnerability

Answer 12

Explanation: Answer d is the correct answer and can be found in the cited reference. Answer a is the degree to which there is less than complete confidence in the value of any element of the risk assessment. Answer b is the process of identifying the occurrence of an event and the possible agent involved. Answer c is the specific instance of the condition of being unduly exposed to losses.

Question 13

149. The portion of risk that remains due to management decisions, unconsidered factors and/or incorrect conclusions is termed:

a. Loss
b. Residual risk
c. Insurance
d. Threat factors

Answer 13

Explanation: Answer b is the correct answer and can be found in the cited reference. Answer a is what occurs if corrective actions are inadequate, and c is a policy one buys to transfer the cost to a third-party. Answer d are factors that can impact an asset.

Question 14

159. Any action, device, procedure, technique, or other process that reduces the vulnerability of a system or asset to an acceptable level is best identified as a:

a. Safeguard
b. Precaution
c. Safety measure
d. Countermeasure

Answer 14

Explanation: Answer d is the correct answer, and is found in the cited reference. Answer a is another form a countermeasure, answer b is a reason by which countermeasures might be installed and answer c is a combination of answers a and d.

Question 15

165. The characteristics of a resource or an asset which implies its value or importance, and may include its vulnerability is known as:

a. Public data
b. Sensitivity
c. Internal Use
d. Threat

Answer 15

Explanation: Answer b is the correct answer and can be found in the cited reference. Answers a and c are levels usually found in an information classification system. Answer d is an element in a risk analysis process.

Question 16

181. General statements designed to achieve the policy objectives by providing a framework within which to implement procedures. Where standards are mandatory, these are recommendations.

a. Guidelines
b. Policies
c. Laws
d. Procedures

Answer 16

Explanation: The correct answer is a and can be found in the cited reference. Answer b is the management statement of direction. Answer c is what generally starts the cycle of policy, standard and guideline development. Answer d is the mandatory step-by-step process to complete a task.

Question 17

183. Something of value or what security professionals are trying to protect. In can include data, information, personnel, facilities, applications, hardware, software, or transmission devices. This item of value known in information security as:

a. Asset
b. Program
c. Code
d. Top Secret

Answer 17

Explanation: Answer a is the answer, and can be found in the cited reference. Answer b is a type of asset as is answer c. Answer d is a classification level for information.

Question 18

184. In a policy on employee responsibilities for handling organization information, this individual: the creator of the information or the primary user of the information is classified as the:

a. Custodian
b. Steward
c. User
d. Owner

Answer 18

Explanation: Answer d is the correct answer, and is found in the reference cited below. Answers a and b refer to the individual or entity charged with keeping and protecting the information based on the requirements identified by the owner. Answer c is the party granted the right to use the information.

Question 19

193. The employee, department or third-party entity that is entrusted with ensuring that information assets or resources are appropriately maintained, secured, processed, archived and available as directed by the owner is the:

a. Custodian
b. User
c. Management
d. ISSO

Answer 19

Explanation: the correct answer is a and is found in the cited reference. Answer b is the entity authorized by the owner to user the resource as approved. Answer c is the group required to have policies and to support them. Answer d is the group or individual (Information Systems Security Officer) charged with creates a security architecture to support the business objectives.

Question 20

194. Mandatory activities, actions, rules, or regulations designed to provide policies with the support structure and specific direction are?

a. Guidelines
b. Processes
c. Practices
d. Standards

Answer 20

Explanation: Answer d is the correct answer, and is taken verbatim from the reference cited. Answer a is incorrect because a guideline is not mandatory. Answers b and c are spell out specific steps that must be taken to complete a process.

Question 21

218. The following statement describes what information security tenant? In order for Management to be able to rely on information that is as intended and is not contaminated or corrupted by malicious acts, uncorrected error conditions, or other failures.

a. Accountability
b. Authenticity
c. Access Control
d. Integrity

Answer 21

Explanation: Answer d is the correct answer, and can be found in the GASSP. Answer a is part of the audit process, answer b is the process to ensure system users are who the claim to be and answer c is a process to allow authorized users to access information, transactions or other system functions.

Question 22

226. A classic form of Risk Analysis was presented to the information security profession when it was included in the FIPS PUB 65 in 1979. This process requires the use of the formula of Loss = Impact X Frequency of Occurrence. The results will give the user the:

a. Threat analysis
b. Quantitative risk analysis
c. Annual loss exposure
d. Frequency of threat

Answer 22

Explanation: Answer c is correct, and is found in the cited reference. Answer a is another form of risk analysis created by FEMA. Answer bB is one of the two major classifications of risk analysis and answer d is an element in ALE.

Question 23

229. The process of identifying, controlling and minimizing or eliminating security risks that may affect information systems, for an acceptable cost is which of the following?

a. Vulnerability assessment
b. Risk management
c. Information security policy
d. Safeguard review

Answer 23

Explanation: Answer b is the correct answer, and is taken from ISO 17799. Answers a and c are similar in that both address the process of reviewing controls after they have been implemented. Answer d relates to assessment of controls or safeguards and is part of the Risk Management process.

Question 24

236. The mandatory, step-by-step process that must be done in order to complete a task or assignment are known as:

a. Policies
b. Standards
c. Guidelines
d. Procedures

Answer 24

Explanation: Answer d is the correct answer and can be found in Creating Effective Manuals. Answer a addresses high-level management directives and the general means for there completion. Answer b relates to the mandatory actions or requirements that support policies and answer c is for the non-mandatory actions that can be used to support a policy.

Question 25

244. One of the key processes used in a personnel security program is a method that allows organizations to assess threats presented to them by individuals. This process is normally conducted prior to hiring and is termed:

a. Background investigation
b. Resume skimming
c. Reference checking
d. Credential verification

Answer 25

Explanation: Answer a is the correct answer. And is taken from the reference cited. Answers b, c and d are all part of the employee hiring process, handled by Human Resources.