Domain 3 - Information Security Governance and Risk Management Flashcards
- The basic component of a General Program Policy consists of four basic elements. Among these elements are Purpose or topic, Scope, and Responsibilities. Which of the following is the fourth component?
a. Thesis
b. Provisions
c. Compliance
d. Supplemental information
Explanation: Answer c is the correct answer, and can be found in the cited reference. Answer a is an element found in a Topic specific policy, Answer b is sometimes used by policy writers to explain why policy was written and answer d is usually found in an application-specific policy.
- Making computer users aware of their security responsibilities and presenting them with the correct practices helps change their behavior. This process of raising end-user consciousness is part of a:
a. In-house education program
b. A new product training course
c. Employee awareness program
d. Skill development
Explanation: Answer c is the correct answer, and is found in the cited reference Answers a, b and d are related to the overall process of improving end-user use of security systems, but the mainly focus on learning to use specific tools, where awareness is a process in behavior modification.
28. Agreements used to give notice that information is confidential or secret to employees and other third parties is termed as either a confidentiality agreement or \: a. Employment agreement b. Condition of employment c. Non-disclosure agreement d. Top-secret clearance
Explanation: Answer c is the correct answer and can be found in the ISO 17799. Answer a is generally used with senior level executives and employees with access to competitive advantage information. Answer b might find a non-disclosure agreement as a requirement for employment. Answer d is a clearance level usually restricted to Department of Defense-type information access.
- What kind of document is a high-level statement of enterprise beliefs, goals, and objectives and the general means for their attainment for a specified subject area?
a. Policy
b. Procedure
c. Standard
d. Guideline
Explanation: Answer a is the correct answer, and can be found in the cited reference. Answer b is mandatory, step-by-step processes required to complete a specific task. Answer c is mandatory actions, devices or methods used to support a policy and answer d is recommended actions, devices or methods that can be adopted but are not mandatory.
- The loss potential that exists as the result of the threat-vulnerability pairs. Reducing either the threat or the vulnerability reduces what?
a. Risk
b. Impact
c. Concern
d. Issue
Explanation: Answer a is correct, and can be found in the cited reference. Answer b is the element in risk analysis that tries to identify what level of damage might occur if a threat were to be successful. Answers c and d are sub-elements of the overall risk definition.
- The ISO 17799 International Standard on Information Security characterizes information security as the preservation of CIA: Confidentiality, Integrity and which of the following?
a. Authenticity
b. Accountability
c. Availability
d. Assurance
Explanation: Answer c is the correct answer, and is taken from the cited reference The other answers are incorrect because they are generally viewed as elements of Integrity.
- The following describes what information security tenant: baseline versions of a product are saved and protected in such a way that they will exist even if something happens to the original version.
a. Change control
b. Version control
c. Software deployment
d. Configuration management
Explanation: Answer d is the correct answer, and can be found in Building Quality Software. Answer a is a process in which system changes are authorized. Answer b is the process used to ensure that all areas have the proper software level or release. Answer c is the process for the orderly distribution of products to the user community.
- The efficient use of resources when attempting to mitigate a business risk is often described as a positive:
a. Operating expense ratio
b. Return on investment
c. Risk Assessment
d. Security Analysis
Explanation: Answer b is the correct answer, and can be found in the reference below. Answer a is a method used to measure management’s ability to control operating expenses. Answer c is a term that represents the assignment of value to assets, threat frequency, and other elements of chance. Answer d is a method to review security controls.
- A possible danger to a system, whether it is a person, thing or event that might exploit a vulnerability of the system is termed as a:
a. Problem
b. Danger
c. Concern
d. Threat
Explanation: Answer d is the correct answer, and is taken from the reference below. Answers a, b and c are incorrect in that they fail to reflect the level of severity a threat poses to a system.
- The characteristic of information being disclosed only to authorized persons, entities, and processes at authorized times and in the authorized manner is know as:
a. Integrity
b. Availability
c. Accountability
d. Confidentiality
Explanation: Answer d is the answer and is found in the Generally Accepted System Security Principles (GASSP). Answer a is the characteristics of being accurate, answer b is the characteristic of information being accessible and answer c is the ability to audit.
- The process of investigating a target environment and the relationships of dangers to the target is known in information security circles as:
a. Value analysis
b. Risk analysis
c. Risk assessment
d. Safeguard checking
Explanation: Answer b is the correct, and is found in the cited reference. Answer a is another form of qualitative risk analysis and answer c is a process to assign a value to assets. Answer d is a post risk analysis process usually found in a vulnerability assessment.
- The absence or weakness of a risk-reducing safeguard is know as a:
a. Uncertainty
b. Detection
c. Exposure
d. Vulnerability
Explanation: Answer d is the correct answer and can be found in the cited reference. Answer a is the degree to which there is less than complete confidence in the value of any element of the risk assessment. Answer b is the process of identifying the occurrence of an event and the possible agent involved. Answer c is the specific instance of the condition of being unduly exposed to losses.
- The portion of risk that remains due to management decisions, unconsidered factors and/or incorrect conclusions is termed:
a. Loss
b. Residual risk
c. Insurance
d. Threat factors
Explanation: Answer b is the correct answer and can be found in the cited reference. Answer a is what occurs if corrective actions are inadequate, and c is a policy one buys to transfer the cost to a third-party. Answer d are factors that can impact an asset.
- Any action, device, procedure, technique, or other process that reduces the vulnerability of a system or asset to an acceptable level is best identified as a:
a. Safeguard
b. Precaution
c. Safety measure
d. Countermeasure
Explanation: Answer d is the correct answer, and is found in the cited reference. Answer a is another form a countermeasure, answer b is a reason by which countermeasures might be installed and answer c is a combination of answers a and d.
- The characteristics of a resource or an asset which implies its value or importance, and may include its vulnerability is known as:
a. Public data
b. Sensitivity
c. Internal Use
d. Threat
Explanation: Answer b is the correct answer and can be found in the cited reference. Answers a and c are levels usually found in an information classification system. Answer d is an element in a risk analysis process.